WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2801PublishPress Statuses – Custom Post Status and Workflow37231781k+Missing Arg Domain
#2802Quantities and Units for WooCommerce371331181k+Output is not escaped
#2803Quentn WP374251500Nonce verification recommended
#2804Quick Restaurant Menu37136401k+Text Domain Mismatch
#2805Rich Table of Contents372625720k+Output is not escaped
#2806RSS for Yandex Zen372401004k+Unsafe printing function
#2807RSS Image Feed37147162k+Output is not escaped
#2808Ryviu – Review Importer & Product Reviews3772951k+Output is not escaped
#2809SB RSS feed plus37172241k+Output is not escaped
#2810Send PDF for Contact Form 737223089k+Non-prefixed global variable
#2811SendWP37474210k+Output is not escaped
#2812Sezzle Woocommerce Payment371081051k+Text Domain Mismatch
#2813Snippet Shortcodes373591334k+Non Singular String Literal Domain
#2814Shortcoder — Create Shortcodes for Anything372570100k+Non-prefixed global variable
#2815Weaver Show Sliders37177132900Text Domain Mismatch
#2816Simple Countdown Timer371101131k+Missing Arg Domain
#2817Simple Image XML Sitemap37119161k+Output is not escaped
#2818Lightbox slider – Responsive Lightbox Gallery37361733k+Non-prefixed global variable
#2819Site Offline Or Coming Soon Or Maintenance Mode3712713830k+Unsafe printing function
#2820Skimlinks Affiliate Marketing Tool378419800wp function not compatible with requires wp
#2821Slider Pro37782601k+Non-prefixed global variable
#2822Smart Send Logistics379281400Output is not escaped
#2823Social Comments375932400Output is not escaped
#2824Spam Destroyer3763436k+rand rand
#2825StagTools37476531k+Text Domain Mismatch
#2826Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation37423310k+Output is not escaped
#2827SuperCPT3717227600Output is not escaped
#2828Super Simple Site Offline37115596k+Text Domain Mismatch
#2829Swifty Bar, sticky bar by WPGens3711281400Output is not escaped
#2830Tilopay37351301k+Nonce verification recommended
#2831Time Clock – A WordPress Employee & Volunteer Time Clock Plugin37166107500Output is not escaped
#2832Tracking Code Manager37554290k+Output is not escaped
#2833Tracking Script Manager3782572k+Non Singular String Literal Domain
#2834Ultimate WordPress Auction Plugin376231461k+Text Domain Mismatch
#2835Landing Page Builder – Free Landing Page Templates37329111600Output is not escaped
#2836Ultimate Tag Cloud Widget37715164k+Output is not escaped
#2837User Meta Display377874500Output is not escaped
#2838UsersWP – Social Login37299912k+Text Domain Mismatch
#2839ValidateCertify Free37123971k+Text Domain Mismatch
#2840Varnish/Nginx Proxy Caching3728736600Output is not escaped
#2841ViaBill – WooCommerce3743786500Text Domain Mismatch
#2842Virtual Classroom – Video Conferencing & Online Meeting with BigBlueButton3745140400Nonce verification recommended
#2843Featured Video for WordPress – VideographyWP37287931k+Unsafe printing function
#2844Views for WPForms – Display & Edit WPForms Entries on your site frontend3780641k+Output is not escaped
#2845Innovs WPBakery Visual Composer WHMCS Elements37154242k+Text Domain Mismatch
#2846Weather Atlas Widget376301118k+Output is not escaped
#2847Widget Box Lite3731817900Output is not escaped
#2848Orders Tracking for WooCommerce37731210k+Request data is not unslashed
#2849Módulo PagSeguro3790461k+Unsafe printing function
#2850Piraeus Bank WooCommerce Payment Gateway371461043k+Non Singular String Literal Domain