WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2651Extended Coupon Features for WooCommerce FREE362196310k+Text Domain Mismatch
#2652CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce36165695k+Text Domain Mismatch
#2653Eway Payments for Woo36525403k+Text Domain Mismatch
#2654SuperFaktura WooCommerce36601162k+Nonce verification recommended
#2655Hide admin notices – Admin Notification Center36114678k+Output is not escaped
#2656WP Better Permalinks36110591k+Output is not escaped
#2657Export Themes36122902k+Non-prefixed constant
#2658WP Coder – Insert & Manage Code Snippets365328010k+Nonce verification recommended
#2659WP Counter368643800Output is not escaped
#2660WP Custom Cursors | WordPress Cursor Plugin366913909k+Text Domain Mismatch
#2661WP-EMail36340951k+Unsafe printing function
#2662WP Header Images361741336k+Unsafe printing function
#2663WP Mail36202201500Output is not escaped
#2664Payment Button for PayPal36155864k+Unsafe printing function
#2665WP Publication Archive3619764400Text Domain Mismatch
#2666WP Responsive Menu3629513930k+Text Domain Mismatch
#2667WP Hardening (discontinued)362308510k+Text Domain Mismatch
#2668WP Show Posts3610710270k+Output is not escaped
#2669WP Socializer – Simple & Easy Social Media Share Icons362145110k+Output is not escaped
#2670WP Sort Order361342116k+Direct Query
#2671WP Stripe Checkout361981181k+Unsafe printing function
#2672WP Super Edit36351852k+Nonce verification recommended
#2673Yandex.Metrica36763060k+Output is not escaped
#2674WPAvatar3642545700Unsafe printing function
#2675WP fail2ban Blocklist3661633k+SQL query is not prepared
#2676WPLMS H5P361111061k+Text Domain Mismatch
#2677Wppao Sitemap36128219k+Output is not escaped
#2678wpShopGermany IT-RECHT KANZLEI363747500Input is not sanitized
#2679Database Snapshots – WPvivid36661081k+Direct Query
#2680YayExtra – WooCommerce Extra Product Options36114721k+Non-prefixed global variable
#2681Visual CSS Style Editor3628323340k+Output is not escaped
#2682Custom Product Tabs for WooCommerce36878180k+Output is not escaped
#2683Zarinpal Gateway361515550k+Non Singular String Literal Domain
#2684360 Javascript Viewer37144221k+Output is not escaped
#2685Redirectioner372344101k+Output is not escaped
#2686ACF: TablePress37160451k+Text Domain Mismatch
#2687Adapta RGPD373497240k+Text Domain Mismatch
#2688Adaptive Images for WordPress3751753k+Output is not escaped
#2689Add From Server37522060k+Output is not escaped
#2690AddToAny Share Buttons37123164300k+Unsafe printing function
#2691Add to Cart Redirect for WooCommerce372151418k+Text Domain Mismatch
#2692Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs37393610k+Missing direct file access protection
#2693PiWeb Advanced Flat rate / Conditional shipping for WooCommerce37841922k+wp function not compatible with requires wp
#2694Agreeable374067800Unsafe printing function
#2695AJAX Hits Counter + Popular Posts Widget37247441k+Output is not escaped
#2696Analytics Spam Blocker377622800Unsafe printing function
#2697Antom Payments376068800badly named files
#2698All-in-one Chat Button by anychat.one3711969900Text Domain Mismatch
#2699Anything Popup371641852k+Non-prefixed global variable
#2700Apaczka: integracja z WooCommerce3783163k+Non-prefixed global variable