WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2901AccessibleWP – Accessibility Toolbar383812620k+Text Domain Mismatch
#2902ACF-VC Integrator38190913k+Output is not escaped
#2903Parallax Scroll by adamrob.co.uk38102511k+Output is not escaped
#2904Add Customer for WooCommerce382291531k+Text Domain Mismatch
#2905Admin Bar & Dashboard Access Control3894373k+Text Domain Mismatch
#2906Admin Management Xtended382801615k+Output is not escaped
#2907AdRoll for WooCommerce Stores384025600Output is not escaped
#2908AWCA – The Great Analytics Insights for Your eStore382381432k+Output is not escaped
#2909Advanced 301 and 302 Redirect38813391k+Non-prefixed global variable
#2910Advanced Product Search For WooCommerce38160384k+Text Domain Mismatch
#2911Advanced Sermons388331841k+Unsafe printing function
#2912Afterpay Gateway for WooCommerce381836210k+Text Domain Mismatch
#2913Alphabetic Pagination38144117500Unsafe printing function
#2914Anant Sites — Elementor & Gutenberg Readymade Template Library Free & Pro Templates38201561k+Non-prefixed global variable
#2915Announce from the Dashboard38138247k+Non Singular String Literal Domain
#2916Announcement Bar38192613k+Non Singular String Literal Domain
#2917Any Mobile Theme Switcher38695920k+Output is not escaped
#2918Aplazame383439600Non-prefixed global variable
#2919Activity Log – Monitor & Record User Changes3881149200k+Nonce verification recommended
#2920Ashe Extra38109543k+Text Domain Mismatch
#2921Attachments38238668k+Unsafe printing function
#2922Audio Story Images384644400Output is not escaped
#2923Author Category3885254k+Output is not escaped
#2924Auto Prune Posts3854571k+Output is not escaped
#2925Autologin Links3873748k+Output is not escaped
#2926Automatic Post Tagger385923072k+Output is not escaped
#2927bbPress Login Register Links On Forum Topic Pages3814236600Text Domain Mismatch
#2928Beauty Form Styler for Gravity Forms387093600Output is not escaped
#2929Bible Verse of the Day38378233k+Unsafe printing function
#2930SoftTech-IT bKash, Rocket, Nagad38164816k+Text Domain Mismatch
#2931Blogger Importer38443950k+Output is not escaped
#2932Bot Block – Stop Spam Referrals in Google Analytics382842600Output is not escaped
#2933BuddyPress Follow38114671k+Text Domain Mismatch
#2934Bulgarisation for WooCommerce381285925k+Nonce verification recommended
#2935Car Route Planner Plugin3813517400Output is not escaped
#2936Cecabank WooCommerce Plugin3863323k+Text Domain Mismatch
#2937Certificate Verification3833401k+Output is not escaped
#2938Database for Contact Form 738341287k+Missing nonce verification
#2939Contact Form 7 – Post Fields38167253k+Text Domain Mismatch
#2940CF7 to Webhook381027230k+Unsafe printing function
#2941Checkout Files Upload for WooCommerce38571207k+Input is not sanitized
#2942Classic Editor Plus – WordPress Classic Editor plugin by Felix388342500Text Domain Mismatch
#2943Clever Mega Menu for Visual Composer38500871k+Output is not escaped
#2944Clever Mega Menu for Elementor38835441k+Output is not escaped
#2945Chatbot for WordPress by Collect.chat ⚡️3858366k+Unsafe printing function
#2946country-redirect385819400Text Domain Mismatch
#2947Crop-Thumbnails38332740k+Missing direct file access protection
#2948CRUDLab Disable Comments382054700Missing nonce verification
#2949One page checkout and layouts for woocommerce3883523k+Non-prefixed global variable
#2950Custom Menu Wizard Widget38326302k+Output is not escaped