WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2201 | Product Bundle Builder for WooCommerce | 35 | 156 | 134 | 6k+ | Text Domain Mismatch | ||
| #2202 | Easy Social Icons | 35 | 182 | 158 | 20k+ | Output is not escaped | ||
| #2203 | Easy SwipeBox | 35 | 157 | 10 | 2k+ | Non Singular String Literal Domain | ||
| #2204 | Editorial Calendar | 35 | 127 | 160 | 20k+ | Output is not escaped | ||
| #2205 | Ele Conditions for Elementor | 35 | 2 | 7 | 4k+ | Request data is not unslashed | ||
| #2206 | Email Subscription Popup — Newsletter & GDPR Consent | 35 | 683 | 193 | 1k+ | Output is not escaped | ||
| #2207 | Email Validator for Contact Form 7 | 35 | 111 | 74 | 500 | SQL query is not prepared | ||
| #2208 | Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more | 35 | 102 | 92 | 400 | Non-prefixed global variable | ||
| #2209 | WP Rocket | Simple LoadCSS Preloader | 35 | 7 | 16 | 4k+ | Non-prefixed global variable | ||
| #2210 | Enhanced Recent Posts | 35 | 78 | 24 | 400 | Output is not escaped | ||
| #2211 | EnvíaloSimple: Email Marketing y Newsletters | 35 | 147 | 250 | 2k+ | Nonce verification recommended | ||
| #2212 | Equivalent Mobile Redirect | 35 | 29 | 17 | 2k+ | Text Domain Mismatch | ||
| #2213 | Connect WooCommerce to ActiveCampaign by EqualServing | 35 | 135 | 89 | 1k+ | Text Domain Mismatch | ||
| #2214 | EWWW Image Optimizer | 35 | 225 | 729 | 1m+ | Direct Query | ||
| #2215 | AI Popup Builder & Popup Maker by OptiMonk | 35 | 81 | 65 | 4k+ | Text Domain Mismatch | ||
| #2216 | Export Featured Images | 35 | 176 | 67 | 1k+ | Output is not escaped | ||
| #2217 | External Links Overview | 35 | 57 | 200 | 800 | Non-prefixed global variable | ||
| #2218 | WP2Social Auto Publish | 35 | 643 | 215 | 9k+ | Unsafe printing function | ||
| #2219 | Pixel Cat – Conversion Pixel Manager | 35 | 253 | 215 | 40k+ | Output is not escaped | ||
| #2220 | Instant Indexing for Google | 35 | 13 | 62 | 200k+ | Non-prefixed global variable | ||
| #2221 | Flat Preloader | 35 | 40 | 15 | 3k+ | Output is not escaped | ||
| #2222 | Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager | 35 | 64 | 64 | 80k+ | Non-prefixed global variable | ||
| #2223 | Flying Analytics: Self-Host Google Analytics v4 with Speed Optimization | 35 | 17 | 13 | 5k+ | Missing direct file access protection | ||
| #2224 | Events Calendar by FooEvents | 35 | 56 | 59 | 4k+ | Non-prefixed global variable | ||
| #2225 | Force Reinstall | 35 | 118 | 34 | 2k+ | Output is not escaped | ||
| #2226 | FormFacade – Embed Google Forms in your website | 35 | 10 | 16 | 1k+ | Nonce verification recommended | ||
| #2227 | Friendly Captcha for WordPress | 35 | 192 | 62 | 9k+ | Output is not escaped | ||
| #2228 | Frontend Reset Password | 35 | 83 | 128 | 10k+ | Text Domain Mismatch | ||
| #2229 | Full Width Banner Slider Wp | 35 | 239 | 140 | 2k+ | Output is not escaped | ||
| #2230 | GA4WP – Analytics Dashboard for the Website | 35 | 434 | 157 | 2k+ | Text Domain Mismatch | ||
| #2231 | GDPR Compliance & Cookie Consent | 35 | 251 | 61 | 5k+ | Output is not escaped | ||
| #2232 | GeoTargeting Lite – WordPress Geolocation | 35 | 66 | 79 | 1k+ | Output is not escaped | ||
| #2233 | Get a Newsletter | 35 | 138 | 144 | 400 | Output is not escaped | ||
| #2234 | Glossary | 35 | 169 | 93 | 2k+ | Non Singular String Literal Domain | ||
| #2235 | Reviews Block for Google | 35 | 244 | 35 | 1k+ | Missing Arg Domain | ||
| #2236 | Gravitec.net – Web Push Notifications | 35 | 47 | 52 | 1k+ | wp function not compatible with requires wp | ||
| #2237 | Gumlet – Image optimization with Resize, Compression, Lazy load, Caching & CDN delivery | 35 | 53 | 45 | 500 | parse url parse url | ||
| #2238 | Ultimate Addons for Elementor | 35 | 70 | 226 | 2m+ | Non-prefixed hook name | ||
| #2239 | Health Check & Troubleshooting | 35 | 264 | 238 | 300k+ | Missing Arg Domain | ||
| #2240 | Heartbeat Control | 35 | 27 | 18 | 80k+ | Missing Arg Domain | ||
| #2241 | Social Comments by Heateor | 35 | 285 | 35 | 700 | Unsafe printing function | ||
| #2242 | Hippoo Mobile App for WooCommerce | 35 | 5 | 92 | 1k+ | Direct Query | ||
| #2243 | HTTP Authentication | 35 | 23 | 6 | 600 | Output is not escaped | ||
| #2244 | Iframely – WP media embeds, cards and blocks | 35 | 136 | 43 | 2k+ | Unsafe printing function | ||
| #2245 | Image Slider | 35 | 192 | 95 | 4k+ | Output is not escaped | ||
| #2246 | Image Widget | 35 | 165 | 31 | 100k+ | Output is not escaped | ||
| #2247 | ImageMagick Engine | 35 | 63 | 29 | 60k+ | Unsafe printing function | ||
| #2248 | Import Users & Customers with Meta | WP Ultimate CSV Importer Add-on | 35 | 27 | 140 | 5k+ | Interpolated SQL is not prepared | ||
| #2249 | InPost PL | 35 | 2 | 925 | 10k+ | Non-prefixed global variable | ||
| #2250 | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts | 35 | 64 | 91 | 60k+ | Output is not escaped |
