WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2701Login by Auth0373078210k+Text Domain Mismatch
#2702authLdap3746304k+Exception output is not escaped
#2703avalex – Automatisch sichere Rechtstexte3725851k+Direct Query
#2704AZAN Plugin374430500Output is not escaped
#2705Banhammer – Monitor Site Traffic, Block Bad Users and Bots371041741k+Output is not escaped
#2706Custom Thank You Page Customize For WooCommerce by Binary Carpenter3745802k+error log error log
#2707Better Click To Share – Shareable Quote Boxes for X (Twitter)37170596k+Unsafe printing function
#2708Blimply3717243800Text Domain Mismatch
#2709Blog News Addons For Elementor (News, Magazine and Blog Addons)3723296400Non-prefixed global variable
#2710Customize WordPress Emails and Alerts – Better Notifications for WP37644730k+Missing Arg Domain
#2711Booster Extension37282896k+Non-prefixed global variable
#2712Britetechs Companion379666132k+Text Domain Mismatch
#2713BuddyPress Members Only37184801k+Text Domain Mismatch
#2714bunny.net – WordPress CDN Plugin3716515910k+Output is not escaped
#2715Delivery Date Time & Pickup for WooCommerce37148216400Output is not escaped
#2716Catalog Booster & Product Catalog Mode for WooCommerce371061681k+Non-prefixed function
#2717Checkout for PayPal3713467600Unsafe printing function
#2718Clearpay Gateway for WooCommerce37185631k+Text Domain Mismatch
#2719ClickCease Click Fraud Protection37305810k+Non-prefixed class
#2720ClickRank – Ai SEO Automation37102261k+Direct Query
#2721CodePeople Post Map for Google Maps37257313k+Unsafe printing function
#2722Lightweight Subscribe To Comments37105701k+Unsafe printing function
#2723PiWeb Conditional cart fee / Extra charge rule for WooCommerce371642142k+Text Domain Mismatch
#2724Constant Contact Forms by MailMunch37147532k+wp function not compatible with requires wp
#2725CorvusPay WooCommerce Payment Gateway37291411k+Missing nonce verification
#2726Crafty Social Buttons37279271k+Non Singular String Literal Domain
#2727Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter3715161600Output is not escaped
#2728Simple Custom CSS and JS3716869600k+Output is not escaped
#2729Custom CSS Manager3755201k+Output is not escaped
#2730Custom Post Template37483010k+Output is not escaped
#2731Customer Email Verification for WooCommerce371651642k+Nonce verification recommended
#2732Debug Log Viewer3726831k+Missing nonce verification
#2733Donation Block For PayPal3723106600Input is not validated
#2734DSGVO/GDPR Cookies, DSE, Impressum & Google Fonts Proxy3739125700Text Domain Mismatch
#2735Duo Two-Factor Authentication3744613k+Missing nonce verification
#2736Easy Photo Album37360431k+Text Domain Mismatch
#2737Pricing Table WordPress Plugin – Easy Pricing Tables3733216110k+Output is not escaped
#2738Easy Testimonial Slider and Form3714144700Request data is not unslashed
#2739EasyMe Connect3713045500Text Domain Mismatch
#2740Eazy CF Captcha379354500Text Domain Mismatch
#2741WP eBay Product Feeds3713631700Output is not escaped
#2742Email Encoder – Protect Email Addresses and Phone Numbers371015090k+Non-prefixed global variable
#2743Excerpt Editor37170142500Unsafe printing function
#2744Exploit Scanner37251308k+Non-prefixed global variable
#2745Facturare WooCommerce371581063k+Text Domain Mismatch
#2746Furgonetka.pl: Przesyłki & Narzędzia e-commerce3766487k+Exception output is not escaped
#2747果果推送3731561k+Nonce verification recommended
#2748Gmail SMTP37857110k+Unsafe printing function
#2749GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM3759269600Direct Query
#2750GoCache3727343900Non Singular String Literal Domain