WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #2451 | Lockdown WP Admin | 41 | 20 | 50 | 10k+ | Missing Unslash | |
| #2452 | Log cleaner for Solid Security | 41 | 65 | 47 | 8k+ | Text Domain Mismatch | |
| #2453 | Magic Liquidizer Responsive Table | 41 | 114 | 38 | 6k+ | Text Domain Mismatch | |
| #2454 | MaxLimits – Increase Maximum Upload, Post & PHP Limits | 41 | 99 | 16 | 1k+ | Unsafe Printing Function | |
| #2455 | MaxSlider | 41 | 21 | 45 | 7k+ | Output Not Escaped | |
| #2456 | Media Grid | 41 | 42 | 44 | 2k+ | Missing Arg Domain | |
| #2457 | Mihdan: Yandex Turbo Feed | 41 | 65 | 39 | 1k+ | Output Not Escaped | |
| #2458 | Mobile Contact Bar | 41 | 94 | 36 | 10k+ | Unsafe Printing Function | |
| #2459 | Mollie Forms | 41 | 14 | 565 | 3k+ | Missing Unslash | |
| #2460 | MouseWheel Smooth Scroll | 41 | 104 | 7 | 100k+ | Text Domain Mismatch | |
| #2461 | Multiple Domain | 41 | 42 | 17 | 10k+ | Output Not Escaped | |
| #2462 | My Wp Brand – Hide menu & Hide Plugin | 41 | 74 | 50 | 2k+ | Non Singular String Literal Domain | |
| #2463 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe Printing Function | |
| #2464 | Social Login | 41 | 8 | 110 | 5k+ | Input Not Sanitized | |
| #2465 | Omnibus — show the lowest price | 41 | 35 | 37 | 10k+ | Output Not Escaped | |
| #2466 | Optimus – WordPress Image Optimizer | 41 | 52 | 20 | 30k+ | Unsafe Printing Function | |
| #2467 | OSS Aliyun | 41 | 19 | 40 | 3k+ | Missing Unslash | |
| #2468 | Page Loading Effects | 41 | 68 | 24 | 2k+ | Output Not Escaped | |
| #2469 | Page & Post Notes | 41 | 12 | 77 | 1k+ | Non Prefixed Variable Found | |
| #2470 | Page Specific Menu Items | 41 | 78 | 19 | 2k+ | Output Not Escaped | |
| #2471 | Pods – Custom Content Types and Fields | 41 | 5 | 233 | 100k+ | Direct Query | |
| #2472 | Ally – Web Accessibility & Usability | 41 | 47 | 35 | 500k+ | Output Not Escaped | |
| #2473 | Post Cloner | 41 | 25 | 15 | 1k+ | Text Domain Mismatch | |
| #2474 | Posts 2 Posts | 41 | 42 | 73 | 10k+ | Non Singular String Literal Domain | |
| #2475 | Preload LCP Image | 41 | 110 | 31 | 4k+ | Unsafe Printing Function | |
| #2476 | Prevent Landscape Rotation | 41 | 31 | 27 | 1k+ | Output Not Escaped | |
| #2477 | Product Expiry for WooCommerce | 41 | 31 | 85 | 2k+ | Missing Unslash | |
| #2478 | Simple Product Options for WooCommerce | 41 | 62 | 41 | 3k+ | Output Not Escaped | |
| #2479 | Variation Swatches for WooCommerce | 41 | 29 | 126 | 9k+ | Missing | |
| #2480 | Read More Without Refresh | 41 | 260 | 7 | 20k+ | Text Domain Mismatch | |
| #2481 | Responsive Plus – Elementor Templates & Starter Sites | 41 | 46 | 307 | 10k+ | Non Prefixed Variable Found | |
| #2482 | Responsive Gallery Grid | 41 | 74 | 14 | 4k+ | Output Not Escaped | |
| #2483 | Responsive Lightbox | 41 | 68 | 10 | 10k+ | Output Not Escaped | |
| #2484 | Revision Control | 41 | 60 | 28 | 40k+ | Output Not Escaped | |
| #2485 | Revisionize | 41 | 54 | 24 | 4k+ | Output Not Escaped | |
| #2486 | Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More | 41 | 43 | 61 | 100k+ | Missing Unslash | |
| #2487 | Simple Cache | 41 | 33 | 59 | 1k+ | Input Not Sanitized | |
| #2488 | Simple CPT | 41 | 280 | 60 | 4k+ | Unsafe Printing Function | |
| #2489 | Simple Like Page – Fast & Privacy-Friendly Page Embeds | 41 | 145 | 31 | 10k+ | Output Not Escaped | |
| #2490 | IP Ban | 41 | 29 | 39 | 2k+ | Input Not Validated | |
| #2491 | Simple Lightbox | 41 | 21 | 48 | 100k+ | Recommended | |
| #2492 | Simple Page Access Restriction | 41 | 66 | 51 | 6k+ | Unsafe Printing Function | |
| #2493 | Simple Revision Control | 41 | 34 | 43 | 1k+ | Dynamic Hookname Found | |
| #2494 | SiteSEO – SEO Simplified | 41 | 20 | 110 | 500k+ | Recommended | |
| #2495 | Smart User Slug Hider | 41 | 85 | 12 | 3k+ | Output Not Escaped | |
| #2496 | Squeeze – Image Optimization & Compression, WEBP Conversion | 41 | 18 | 71 | 2k+ | Recommended | |
| #2497 | Sticky Posts – Switch | 41 | 84 | 5 | 6k+ | Output Not Escaped | |
| #2498 | tarteaucitron.io | 41 | 44 | 92 | 10k+ | Output Not Escaped | |
| #2499 | Text Hover | 41 | 44 | 13 | 1k+ | Output Not Escaped | |
| #2500 | Text Replace | 41 | 55 | 12 | 3k+ | Output Not Escaped |
