WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2101 | Thumbnail carousel slider | 34 | 277 | 143 | 2k+ | Output is not escaped | ||
| #2102 | WP SendFox | 34 | 296 | 118 | 1k+ | Text Domain Mismatch | ||
| #2103 | WP Subscription Forms – Subscription Form Plugin for WordPress | 34 | 131 | 220 | 400 | Non-prefixed global variable | ||
| #2104 | WP Twitter Feeds | 34 | 202 | 82 | 2k+ | Output is not escaped | ||
| #2105 | WP Ultimate Post Grid | 34 | 114 | 74 | 4k+ | Missing direct file access protection | ||
| #2106 | Vertical Image Slider | 34 | 264 | 138 | 1k+ | Output is not escaped | ||
| #2107 | Live Visitor Counter | 34 | 108 | 114 | 4k+ | Interpolated SQL is not prepared | ||
| #2108 | Wp Favs – Plugin Manager | 34 | 238 | 153 | 3k+ | Text Domain Mismatch | ||
| #2109 | WPLMS MyCred AddOn | 34 | 383 | 73 | 800 | Text Domain Mismatch | ||
| #2110 | YourChannel: Everything you want in a YouTube plugin. | 34 | 262 | 115 | 10k+ | Text Domain Mismatch | ||
| #2111 | Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades | 34 | 571 | 195 | 100k+ | Output is not escaped | ||
| #2112 | Zero Spam for WordPress | 34 | 79 | 393 | 20k+ | Non-prefixed global variable | ||
| #2113 | zipMoney(Zip Co) Payments Plugin for WooCommerce | 34 | 147 | 70 | 2k+ | Text Domain Mismatch | ||
| #2114 | Absolute Addons For Elementor | 35 | 86 | 286 | 400 | Non-prefixed global variable | ||
| #2115 | Advanced Custom Fields : CPT Options Pages | 35 | 37 | 11 | 2k+ | Output is not escaped | ||
| #2116 | Advanced Custom Fields: Image Aspect Ratio Crop Field | 35 | 70 | 37 | 20k+ | Text Domain Mismatch | ||
| #2117 | ACF OpenStreetMap Field | 35 | 40 | 46 | 9k+ | Non-prefixed global variable | ||
| #2118 | Admin Color Schemer | 35 | 166 | 20 | 1k+ | Exception output is not escaped | ||
| #2119 | Advanced Permalinks | 35 | 94 | 76 | 400 | wp function not compatible with requires wp | ||
| #2120 | Advanced Reporting for Woocommerce | 35 | 296 | 101 | 400 | Output is not escaped | ||
| #2121 | Affiliate Link Marker | 35 | 31 | 4 | 400 | Text Domain Mismatch | ||
| #2122 | AfterSalesPro Plugin | 35 | 24 | 111 | 400 | Nonce verification recommended | ||
| #2123 | SOOZ – AI for SEO – Bulk Generate Focus Keyphrases, Metadata, Alt Text (SEO Autopilot) | 35 | 44 | 394 | 2k+ | Nonce verification recommended | ||
| #2124 | AMIMOTO Plugin Dashboard | 35 | 82 | 82 | 900 | Non Singular String Literal Domain | ||
| #2125 | Amministrazione Trasparente | 35 | 80 | 46 | 1k+ | Output is not escaped | ||
| #2126 | Antideo Email Validator | 35 | 38 | 98 | 800 | Missing nonce verification | ||
| #2127 | Tuskcode Map Pro for Bing Maps | 35 | 59 | 359 | 700 | Direct Query | ||
| #2128 | AppMySite – WordPress & WooCommerce Mobile App Builder (No-Code Android & iOS App Maker) | 35 | 165 | 37 | 8k+ | Missing Arg Domain | ||
| #2129 | Aquila Admin Theme | 35 | 151 | 329 | 3k+ | Non-prefixed global variable | ||
| #2130 | Author Box WP Lens | 35 | 169 | 49 | 1k+ | Unsafe printing function | ||
| #2131 | Authors Widget | 35 | 170 | 19 | 1k+ | Output is not escaped | ||
| #2132 | Auto Login for Sakura Rental Server | 35 | 3 | 3 | 10k+ | Hidden files included | ||
| #2133 | Automatic Internal Links for SEO by Pagup | 35 | 34 | 215 | 1k+ | error log error log | ||
| #2134 | Automatic YouTube Gallery | 35 | 83 | 59 | 9k+ | Output is not escaped | ||
| #2135 | Avif Express | 35 | 26 | 167 | 400 | Input is not validated | ||
| #2136 | Awin – Advertiser Tracking for WooCommerce | 35 | 46 | 39 | 1k+ | Non Singular String Literal Domain | ||
| #2137 | BackWPup – WordPress Backup & Restore Plugin | 35 | 12 | 779 | 500k+ | Non-prefixed global variable | ||
| #2138 | Basic Google Maps Placemarks | 35 | 189 | 80 | 3k+ | Output is not escaped | ||
| #2139 | Before After Image Comparison – Visual Comparison for Two Images | 35 | 19 | 16 | 3k+ | Text Domain Mismatch | ||
| #2140 | Before After Image Comparison Slider for WPBakery Page Builder | 35 | 58 | 59 | 1k+ | Output is not escaped | ||
| #2141 | belingoGeo | 35 | 136 | 133 | 1k+ | Output is not escaped | ||
| #2142 | Better Recent Comments | 35 | 127 | 29 | 2k+ | Text Domain Mismatch | ||
| #2143 | Bicycles by falbar | 35 | 426 | 65 | 600 | Output is not escaped | ||
| #2144 | Block Comment Spam Bots | 35 | 31 | 17 | 800 | Output is not escaped | ||
| #2145 | Gutenberg Block Editor Toolkit – EditorsKit | 35 | 61 | 25 | 20k+ | Text Domain Mismatch | ||
| #2146 | Blogsqode – Blog Layouts and News Post Design | 35 | 430 | 63 | 400 | Text Domain Mismatch | ||
| #2147 | BlossomThemes Toolkit | 35 | 347 | 52 | 30k+ | Output is not escaped | ||
| #2148 | Bluehost Site Migrator | 35 | 11 | 18 | 4k+ | Missing direct file access protection | ||
| #2149 | Tooltipy (tooltips for WP) | 35 | 370 | 125 | 1k+ | Text Domain Mismatch | ||
| #2150 | Bootstrap for Contact Form 7 | 35 | 35 | 73 | 10k+ | Nonce verification recommended |
