WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#201File Manager Pro – Filester22565391100k+Request data is not unslashed
#202Finale Lite – Sales Countdown Timer & Discount for WooCommerce221,0314514k+Output is not escaped
#203FireBox Popups – Increase Sales and Grow Your Email List221538127k+Non-prefixed global variable
#204Notification Bar, Announcement and Cookie Notice WordPress Plugin – FooBar221,3211,3713k+Non-prefixed global variable
#205Five Star Restaurant Menu and Food Ordering227526095k+Output is not escaped
#206FunnelKit Payment Gateway for Stripe WooCommerce2224432120k+Input is not sanitized
#207GeoDirectory – WP Business Directory Plugin and Classified Listings Directory224,4663,97210k+Output is not escaped
#208Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms221,03772220k+Unsafe printing function
#209HeadSpace2 SEO229403603k+Text Domain Mismatch
#210Hesabfa Accounting22467718400Text Domain Mismatch
#211Heureka22557254400Exception output is not escaped
#212History Log by click5226751,290400Direct Query
#213Csomagpontok és Címkék WooCommerce-hez222,0017697k+Text Domain Mismatch
#214IMPress for IDX Broker221,0856366k+Text Domain Mismatch
#215Insert or Embed Articulate Content into WordPress226591,4372k+Non-prefixed global variable
#216Számlázz.hu integráció WooCommerce-hez221,1694607k+Text Domain Mismatch
#217The Innovative Form Builder – IvyForms22713250400Exception output is not escaped
#218InfiniteWP Client222,2861,812200k+Exception output is not escaped
#219Import WP – Export and Import CSV and XML files to WordPress225803304k+Exception output is not escaped
#220JCC Payment Gateway for Woocommerce222,2731,136600Text Domain Mismatch
#221Jim Soft Swiss QR Invoice22262392400Non-prefixed global variable
#222LearnPress – WordPress LMS Plugin for Create and Sell Online Courses222,3463,34170k+Non-prefixed global variable
#223Leyka222533,4452k+Request data is not unslashed
#224Custom Login Page Customizer – Login Designer225881,45530k+Non-prefixed global variable
#225Mail Baby SMTP22385699600SQL query is not prepared
#226MailOptin – Popup, Optin Forms & Email Newsletters for Mailchimp, HubSpot, AWeber Etc.222,6252,45810k+Output is not escaped
#227MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution221,1311,844800Non-prefixed global variable
#228Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider22207323500k+Non-prefixed global variable
#229Modula Image Gallery – Photo Grid & Video Gallery22474436100k+Text Domain Mismatch
#230Molongui Authorship – Author Boxes, Guest Authors & Co-Authors for WordPress229191,23010k+Output is not escaped
#231Moloni229023562k+Missing Arg Domain
#232Motors – Car Dealership & Classified Listings Plugin225,3405,9589k+Text Domain Mismatch
#233myCred Toolkit with AI Assistant – Scale Your Loyalty & Gamification Rewards With Integrations221,5881,172400Output is not escaped
#234Newsletters222,9682,2482k+Text Domain Mismatch
#235NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall221,2662,059100k+Non-prefixed global variable
#236NinjaScanner – Virus & Malware scan2259655130k+Non-prefixed global variable
#237WP OAuth Server (OAuth Authentication)221893473k+Non-prefixed function
#238oik224891802k+Non Singular String Literal Domain
#239Packeta228013338k+Exception output is not escaped
#240PagBank / PagSeguro Connect para WooCommerce225047574k+Non-prefixed global variable
#241PAYCOMET for WooCommerce221,2064232k+Text Domain Mismatch
#242PDF Builder for WPForms22321266900SQL query is not prepared
#243Smart Popup by Supsystic223,17250310k+Non Singular String Literal Domain
#244Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App221,5812,326300k+Non-prefixed global variable
#245Prime Mover – Migrate WordPress Website & Backups221,3261,60010k+Non-prefixed global variable
#246Product Catalog Feed by PixelYourSite225813578k+Output is not escaped
#247Pronamic Pay222581,0772k+Non-prefixed global variable
#248PageSpeed Ninja – Cache, Minify, Defer CSS JavaScript, Critical CSS, Optimize Images, Convert WebP229844075k+Unsafe printing function
#249Quick Contact Form222606231k+Non-prefixed function
#250RabbitLoader Cache: Optimize your Website for Speed222411632k+Output is not escaped