WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2651 | Extended Coupon Features for WooCommerce FREE | 36 | 219 | 63 | 10k+ | Text Domain Mismatch | ||
| #2652 | CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce | 36 | 165 | 69 | 5k+ | Text Domain Mismatch | ||
| #2653 | Eway Payments for Woo | 36 | 525 | 40 | 3k+ | Text Domain Mismatch | ||
| #2654 | SuperFaktura WooCommerce | 36 | 60 | 116 | 2k+ | Nonce verification recommended | ||
| #2655 | Hide admin notices – Admin Notification Center | 36 | 114 | 67 | 8k+ | Output is not escaped | ||
| #2656 | WP Better Permalinks | 36 | 110 | 59 | 1k+ | Output is not escaped | ||
| #2657 | Export Themes | 36 | 122 | 90 | 2k+ | Non-prefixed constant | ||
| #2658 | WP Coder – Insert & Manage Code Snippets | 36 | 53 | 280 | 10k+ | Nonce verification recommended | ||
| #2659 | WP Counter | 36 | 86 | 43 | 800 | Output is not escaped | ||
| #2660 | WP Custom Cursors | WordPress Cursor Plugin | 36 | 691 | 390 | 9k+ | Text Domain Mismatch | ||
| #2661 | WP-EMail | 36 | 340 | 95 | 1k+ | Unsafe printing function | ||
| #2662 | WP Header Images | 36 | 174 | 133 | 6k+ | Unsafe printing function | ||
| #2663 | WP Mail | 36 | 202 | 201 | 500 | Output is not escaped | ||
| #2664 | Payment Button for PayPal | 36 | 155 | 86 | 4k+ | Unsafe printing function | ||
| #2665 | WP Publication Archive | 36 | 197 | 64 | 400 | Text Domain Mismatch | ||
| #2666 | WP Responsive Menu | 36 | 295 | 139 | 30k+ | Text Domain Mismatch | ||
| #2667 | WP Hardening (discontinued) | 36 | 230 | 85 | 10k+ | Text Domain Mismatch | ||
| #2668 | WP Show Posts | 36 | 107 | 102 | 70k+ | Output is not escaped | ||
| #2669 | WP Socializer – Simple & Easy Social Media Share Icons | 36 | 214 | 51 | 10k+ | Output is not escaped | ||
| #2670 | WP Sort Order | 36 | 134 | 211 | 6k+ | Direct Query | ||
| #2671 | WP Stripe Checkout | 36 | 198 | 118 | 1k+ | Unsafe printing function | ||
| #2672 | WP Super Edit | 36 | 35 | 185 | 2k+ | Nonce verification recommended | ||
| #2673 | Yandex.Metrica | 36 | 76 | 30 | 60k+ | Output is not escaped | ||
| #2674 | WPAvatar | 36 | 425 | 45 | 700 | Unsafe printing function | ||
| #2675 | WP fail2ban Blocklist | 36 | 61 | 63 | 3k+ | SQL query is not prepared | ||
| #2676 | WPLMS H5P | 36 | 111 | 106 | 1k+ | Text Domain Mismatch | ||
| #2677 | Wppao Sitemap | 36 | 128 | 21 | 9k+ | Output is not escaped | ||
| #2678 | wpShopGermany IT-RECHT KANZLEI | 36 | 37 | 47 | 500 | Input is not sanitized | ||
| #2679 | Database Snapshots – WPvivid | 36 | 66 | 108 | 1k+ | Direct Query | ||
| #2680 | YayExtra – WooCommerce Extra Product Options | 36 | 11 | 472 | 1k+ | Non-prefixed global variable | ||
| #2681 | Visual CSS Style Editor | 36 | 283 | 233 | 40k+ | Output is not escaped | ||
| #2682 | Custom Product Tabs for WooCommerce | 36 | 87 | 81 | 80k+ | Output is not escaped | ||
| #2683 | Zarinpal Gateway | 36 | 151 | 55 | 50k+ | Non Singular String Literal Domain | ||
| #2684 | 360 Javascript Viewer | 37 | 144 | 22 | 1k+ | Output is not escaped | ||
| #2685 | Redirectioner | 37 | 234 | 410 | 1k+ | Output is not escaped | ||
| #2686 | ACF: TablePress | 37 | 160 | 45 | 1k+ | Text Domain Mismatch | ||
| #2687 | Adapta RGPD | 37 | 349 | 72 | 40k+ | Text Domain Mismatch | ||
| #2688 | Adaptive Images for WordPress | 37 | 51 | 75 | 3k+ | Output is not escaped | ||
| #2689 | Add From Server | 37 | 52 | 20 | 60k+ | Output is not escaped | ||
| #2690 | AddToAny Share Buttons | 37 | 123 | 164 | 300k+ | Unsafe printing function | ||
| #2691 | Add to Cart Redirect for WooCommerce | 37 | 215 | 141 | 8k+ | Text Domain Mismatch | ||
| #2692 | Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs | 37 | 39 | 36 | 10k+ | Missing direct file access protection | ||
| #2693 | PiWeb Advanced Flat rate / Conditional shipping for WooCommerce | 37 | 84 | 192 | 2k+ | wp function not compatible with requires wp | ||
| #2694 | Agreeable | 37 | 40 | 67 | 800 | Unsafe printing function | ||
| #2695 | AJAX Hits Counter + Popular Posts Widget | 37 | 247 | 44 | 1k+ | Output is not escaped | ||
| #2696 | Analytics Spam Blocker | 37 | 76 | 22 | 800 | Unsafe printing function | ||
| #2697 | Antom Payments | 37 | 60 | 68 | 800 | badly named files | ||
| #2698 | All-in-one Chat Button by anychat.one | 37 | 119 | 69 | 900 | Text Domain Mismatch | ||
| #2699 | Anything Popup | 37 | 164 | 185 | 2k+ | Non-prefixed global variable | ||
| #2700 | Apaczka: integracja z WooCommerce | 37 | 8 | 316 | 3k+ | Non-prefixed global variable |