WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2901 | AccessibleWP – Accessibility Toolbar | 38 | 381 | 26 | 20k+ | Text Domain Mismatch | ||
| #2902 | ACF-VC Integrator | 38 | 190 | 91 | 3k+ | Output is not escaped | ||
| #2903 | Parallax Scroll by adamrob.co.uk | 38 | 102 | 51 | 1k+ | Output is not escaped | ||
| #2904 | Add Customer for WooCommerce | 38 | 229 | 153 | 1k+ | Text Domain Mismatch | ||
| #2905 | Admin Bar & Dashboard Access Control | 38 | 94 | 37 | 3k+ | Text Domain Mismatch | ||
| #2906 | Admin Management Xtended | 38 | 280 | 161 | 5k+ | Output is not escaped | ||
| #2907 | AdRoll for WooCommerce Stores | 38 | 40 | 25 | 600 | Output is not escaped | ||
| #2908 | AWCA – The Great Analytics Insights for Your eStore | 38 | 238 | 143 | 2k+ | Output is not escaped | ||
| #2909 | Advanced 301 and 302 Redirect | 38 | 81 | 339 | 1k+ | Non-prefixed global variable | ||
| #2910 | Advanced Product Search For WooCommerce | 38 | 160 | 38 | 4k+ | Text Domain Mismatch | ||
| #2911 | Advanced Sermons | 38 | 833 | 184 | 1k+ | Unsafe printing function | ||
| #2912 | Afterpay Gateway for WooCommerce | 38 | 183 | 62 | 10k+ | Text Domain Mismatch | ||
| #2913 | Alphabetic Pagination | 38 | 144 | 117 | 500 | Unsafe printing function | ||
| #2914 | Anant Sites — Elementor & Gutenberg Readymade Template Library Free & Pro Templates | 38 | 20 | 156 | 1k+ | Non-prefixed global variable | ||
| #2915 | Announce from the Dashboard | 38 | 138 | 24 | 7k+ | Non Singular String Literal Domain | ||
| #2916 | Announcement Bar | 38 | 192 | 61 | 3k+ | Non Singular String Literal Domain | ||
| #2917 | Any Mobile Theme Switcher | 38 | 69 | 59 | 20k+ | Output is not escaped | ||
| #2918 | Aplazame | 38 | 34 | 39 | 600 | Non-prefixed global variable | ||
| #2919 | Activity Log – Monitor & Record User Changes | 38 | 81 | 149 | 200k+ | Nonce verification recommended | ||
| #2920 | Ashe Extra | 38 | 109 | 54 | 3k+ | Text Domain Mismatch | ||
| #2921 | Attachments | 38 | 238 | 66 | 8k+ | Unsafe printing function | ||
| #2922 | Audio Story Images | 38 | 46 | 44 | 400 | Output is not escaped | ||
| #2923 | Author Category | 38 | 85 | 25 | 4k+ | Output is not escaped | ||
| #2924 | Auto Prune Posts | 38 | 54 | 57 | 1k+ | Output is not escaped | ||
| #2925 | Autologin Links | 38 | 73 | 74 | 8k+ | Output is not escaped | ||
| #2926 | Automatic Post Tagger | 38 | 592 | 307 | 2k+ | Output is not escaped | ||
| #2927 | bbPress Login Register Links On Forum Topic Pages | 38 | 142 | 36 | 600 | Text Domain Mismatch | ||
| #2928 | Beauty Form Styler for Gravity Forms | 38 | 70 | 93 | 600 | Output is not escaped | ||
| #2929 | Bible Verse of the Day | 38 | 378 | 23 | 3k+ | Unsafe printing function | ||
| #2930 | SoftTech-IT bKash, Rocket, Nagad | 38 | 164 | 81 | 6k+ | Text Domain Mismatch | ||
| #2931 | Blogger Importer | 38 | 44 | 39 | 50k+ | Output is not escaped | ||
| #2932 | Bot Block – Stop Spam Referrals in Google Analytics | 38 | 28 | 42 | 600 | Output is not escaped | ||
| #2933 | BuddyPress Follow | 38 | 114 | 67 | 1k+ | Text Domain Mismatch | ||
| #2934 | Bulgarisation for WooCommerce | 38 | 128 | 592 | 5k+ | Nonce verification recommended | ||
| #2935 | Car Route Planner Plugin | 38 | 135 | 17 | 400 | Output is not escaped | ||
| #2936 | Cecabank WooCommerce Plugin | 38 | 63 | 32 | 3k+ | Text Domain Mismatch | ||
| #2937 | Certificate Verification | 38 | 33 | 40 | 1k+ | Output is not escaped | ||
| #2938 | Database for Contact Form 7 | 38 | 34 | 128 | 7k+ | Missing nonce verification | ||
| #2939 | Contact Form 7 – Post Fields | 38 | 167 | 25 | 3k+ | Text Domain Mismatch | ||
| #2940 | CF7 to Webhook | 38 | 102 | 72 | 30k+ | Unsafe printing function | ||
| #2941 | Checkout Files Upload for WooCommerce | 38 | 57 | 120 | 7k+ | Input is not sanitized | ||
| #2942 | Classic Editor Plus – WordPress Classic Editor plugin by Felix | 38 | 83 | 42 | 500 | Text Domain Mismatch | ||
| #2943 | Clever Mega Menu for Visual Composer | 38 | 500 | 87 | 1k+ | Output is not escaped | ||
| #2944 | Clever Mega Menu for Elementor | 38 | 835 | 44 | 1k+ | Output is not escaped | ||
| #2945 | Chatbot for WordPress by Collect.chat ⚡️ | 38 | 58 | 36 | 6k+ | Unsafe printing function | ||
| #2946 | country-redirect | 38 | 58 | 19 | 400 | Text Domain Mismatch | ||
| #2947 | Crop-Thumbnails | 38 | 33 | 27 | 40k+ | Missing direct file access protection | ||
| #2948 | CRUDLab Disable Comments | 38 | 20 | 54 | 700 | Missing nonce verification | ||
| #2949 | One page checkout and layouts for woocommerce | 38 | 83 | 52 | 3k+ | Non-prefixed global variable | ||
| #2950 | Custom Menu Wizard Widget | 38 | 326 | 30 | 2k+ | Output is not escaped |