WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #2301 | Country State City Dropdown CF7 | 40 | 35 | 54 | 5k+ | Direct Query | |
| #2302 | Coupon Generator for WooCommerce | 40 | 39 | 28 | 10k+ | Unsafe Printing Function | |
| #2303 | Crisp – Live Chat and Chatbot | 40 | 24 | 20 | 20k+ | Unsafe Printing Function | |
| #2304 | Cryout Serious Theme Settings | 40 | 332 | 51 | 40k+ | Output Not Escaped | |
| #2305 | Custom Simple Rss | 40 | 73 | 130 | 2k+ | Recommended | |
| #2306 | Dashboard Welcome for Beaver Builder | 40 | 38 | 24 | 2k+ | Output Not Escaped | |
| #2307 | Delete Me | 40 | 116 | 17 | 7k+ | Output Not Escaped | |
| #2308 | Duplicate Page | 40 | 39 | 43 | 3m+ | Unsafe Printing Function | |
| #2309 | ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor | 40 | 72 | 348 | 1m+ | Non Prefixed Variable Found | |
| #2310 | Eventer | 40 | 61 | 55 | 1k+ | Output Not Escaped | |
| #2311 | Export Media URLs | 40 | 71 | 35 | 7k+ | Output Not Escaped | |
| #2312 | Payment Gateway of PayPal for WooCommerce | 40 | 44 | 173 | 7k+ | Recommended | |
| #2313 | FameTheme Demo Importer | 40 | 8 | 74 | 30k+ | Recommended | |
| #2314 | FAQ Schema – Accordion, Tab, Slider & Gutenberg Block | 40 | 253 | 46 | 2k+ | Output Not Escaped | |
| #2315 | Far Future Expiry Header | 40 | 25 | 36 | 7k+ | Missing Unslash | |
| #2316 | Fast User Switching | 40 | 28 | 28 | 2k+ | Output Not Escaped | |
| #2317 | Flamingo | 40 | 15 | 228 | 800k+ | Recommended | |
| #2318 | Flying Scripts: Delay JavaScript to Improve Site Speed & Performance | 40 | 23 | 44 | 30k+ | missing direct file access protection | |
| #2319 | FlyWP Helper – Page Cache, Page Optimization, Emails for FlyWP Server Control Panel | 40 | 20 | 81 | 4k+ | Non Prefixed Variable Found | |
| #2320 | Full Background Manager | 40 | 37 | 24 | 7k+ | Output Not Escaped | |
| #2321 | Fusion Page Builder | 40 | 34 | 100 | 3k+ | Input Not Validated | |
| #2322 | Analytics Germanized for Google Analytics (GDPR / DSGVO) | 40 | 49 | 14 | 8k+ | Output Not Escaped | |
| #2323 | Osom Author Pro | 40 | 83 | 22 | 1k+ | Output Not Escaped | |
| #2324 | Product Enquiry for WooCommerce | 40 | 57 | 41 | 3k+ | Output Not Escaped | |
| #2325 | heatmap for WordPress – Realtime analytics | 40 | 94 | 15 | 1k+ | Non Singular String Literal Domain | |
| #2326 | WP Armour – Honeypot Anti Spam | 40 | 56 | 66 | 400k+ | Missing | |
| #2327 | Hostinger Reach – AI-Powered Email Marketing for WordPress | 40 | 9 | 46 | 1m+ | Direct Query | |
| #2328 | Image Alt Text | 40 | 79 | 97 | 9k+ | Non Singular String Literal Domain | |
| #2329 | Correios Automático – Rastreio, Frete, Etiqueta, Declaração e Devolução | 40 | 32 | 56 | 4k+ | Non Prefixed Variable Found | |
| #2330 | Internal Linking of Related Contents | 40 | 714 | 47 | 1k+ | Output Not Escaped | |
| #2331 | JSM Show Post Metadata | 40 | 15 | 66 | 10k+ | Recommended | |
| #2332 | JSM Show User Metadata | 40 | 14 | 64 | 3k+ | Recommended | |
| #2333 | La Sentinelle antispam | 40 | 88 | 46 | 3k+ | Output Not Escaped | |
| #2334 | Social Like Box and Page by WpDevArt | 40 | 62 | 24 | 5k+ | Output Not Escaped | |
| #2335 | Limit Login Attempts | 40 | 81 | 38 | 300k+ | Output Not Escaped | |
| #2336 | Logbook | 40 | 33 | 59 | 2k+ | Recommended | |
| #2337 | WPO365 | Mail Integration for Office 365 / Outlook | 40 | 59 | 27 | 2k+ | Output Not Escaped | |
| #2338 | MailerSend – Official SMTP Integration | 40 | 39 | 25 | 2k+ | Unsafe Printing Function | |
| #2339 | Manual Image Crop | 40 | 178 | 61 | 8k+ | Output Not Escaped | |
| #2340 | MAS Company Reviews For WP Job Manager | 40 | 44 | 71 | 1k+ | Output Not Escaped | |
| #2341 | MembershipWorks – Membership, Events & Directory | 40 | 41 | 29 | 2k+ | Output Not Escaped | |
| #2342 | Modal Window – create popup modal window | 40 | 4 | 170 | 10k+ | Non Prefixed Variable Found | |
| #2343 | Multiple Featured Images | 40 | 50 | 22 | 5k+ | Output Not Escaped | |
| #2344 | Flying Images: Optimize and Lazy Load Images for Faster Page Speed | 40 | 32 | 58 | 3k+ | missing direct file access protection | |
| #2345 | No-Bot Registration | 40 | 112 | 42 | 2k+ | Unsafe Printing Function | |
| #2346 | No CAPTCHA reCAPTCHA | 40 | 112 | 26 | 4k+ | Text Domain Mismatch | |
| #2347 | One Click SSL | 40 | 136 | 62 | 10k+ | Unsafe Printing Function | |
| #2348 | OPML Importer | 40 | 35 | 13 | 4k+ | Output Not Escaped | |
| #2349 | Give – Paystack Gateway | 40 | 96 | 10 | 1k+ | Text Domain Mismatch | |
| #2350 | Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels | 40 | 68 | 249 | 3k+ | Missing |
