WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2151Custom Order Status Manager for WooCommerce356306730k+Text Domain Mismatch
#2152Registration Options for BuddyPress35471321k+Non-prefixed function
#2153Brightcove Video Connect35580235600Text Domain Mismatch
#2154Brozzme DB Prefix & Tools Addons35244210k+Request data is not unslashed
#2155BSK Forms Blacklist358315501k+Output is not escaped
#2156BTCPay Server – Accept Bitcoin payments in WooCommerce3548861k+Missing nonce verification
#2157Buying Buddy IDX CRM – Real Estate MLS Plugin3571240500Request data is not unslashed
#2158C3 Cloudfront Cache Controller35109603k+Non Singular String Literal Domain
#2159Cache Enabler35447590k+Input is not sanitized
#2160CatFolders – WordPress Media Library Folders & Categories3535766k+Direct Query
#2161CF7 Spreadsheets3510062400Text Domain Mismatch
#2162CF7 Submissions – Securely Store Contact Form 7 Data and Attachments, Reply to the Sender and more35161192k+Non-prefixed global variable
#2163Popup for CF7 with Sweet Alert3526122k+Text Domain Mismatch
#2164CF7 Views – Complete Entry Management for Contact Form 7351721811k+Output is not escaped
#2165Change Quantity on Checkout for WooCommerce35270324k+wp function not compatible with requires wp
#2166CHP Ads Block Detector3510935900Output is not escaped
#2167Cloudflare352785200k+Non-prefixed namespace
#2168Flexible SSL for CloudFlare3596100k+Output is not escaped
#2169CM E-Mail Blacklist – Simple email filtering for safer registration35269205800Output is not escaped
#2170CompressX — AVIF & WebP Converter, Media Replacement352642340k+Missing nonce verification
#2171Conditional Menus35922860k+Text Domain Mismatch
#2172Conditional Widgets3567337k+Output is not escaped
#2173EasyTest – Simplify A/B Testing3597610k+Non-prefixed global variable
#2174Cookie Information – Cookie Banner with Consent Mode v235185282k+Output is not escaped
#2175Cookies and Content Security Policy3526141210k+Output is not escaped
#2176Core Framework35706210k+Text Domain Mismatch
#2177Coupon X – Discount Popups, Promo Codes Pop Ups for WooCommerce & Announcement Popups35301681k+Non-prefixed global variable
#2178CrowdSec351301192k+Output is not escaped
#2179CubeWP Framework35114714k+wp function not compatible with requires wp
#2180Cue by AudioTheme.com35281506k+Non-prefixed hook name
#2181Currency Switcher for WooCommerce3516661800Text Domain Mismatch
#2182Custom CSS and JavaScript35389110k+Input is not sanitized
#2183Custom JavaScript Editor35823400Missing Version
#2184Custom Post Type Maker35240866k+Unsafe printing function
#2185Dadevarzan WordPress Common355671700Text Domain Mismatch
#2186Datafeedr Product Sets356022065k+Output is not escaped
#2187Deposits & Partial Payments for WooCommerce351721445k+Text Domain Mismatch
#2188Dintero Checkout for WooCommerce Payment Methods355848600Text Domain Mismatch
#2189PiWeb Disable payment method / Partial payment for WooCommerce35552214k+Non-prefixed class
#2190Disable XML-RPC-API3544452100k+Text Domain Mismatch
#2191Disk Usage Sunburst3530349k+Output is not escaped
#2192Potent Donations for WooCommerce3514252k+Missing nonce verification
#2193Duplica – Duplicate Posts, Pages, Custom Posts or Users3514312k+Non-prefixed global variable
#2194DynamicTags35116162k+Text Domain Mismatch
#2195Easy Dash for LearnDash3562388800Text Domain Mismatch
#2196Easy Noindex And Nofollow355518400Output is not escaped
#2197Easy Panorama3512010500Non Singular String Literal Domain
#2198Easy Post Types and Fields351381351k+Text Domain Mismatch
#2199Product Bundle Builder for WooCommerce351561346k+Text Domain Mismatch
#2200Easy Social Icons3518215820k+Output is not escaped