WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #251 | RealPress – Real Estate Plugin | 22 | 604 | 1,167 | 500 | Non-prefixed global variable | ||
| #252 | Restrict User Access – Ultimate Membership & Content Protection | 22 | 977 | 1,840 | 10k+ | Non-prefixed global variable | ||
| #253 | Salon Booking System – Free Version | 22 | 655 | 620 | 2k+ | Missing direct file access protection | ||
| #254 | Social Sharing Plugin – Sassy Social Share | 22 | 1,689 | 233 | 100k+ | wp function not compatible with requires wp | ||
| #255 | Sellsy | 22 | 586 | 490 | 400 | Non Singular String Literal Domain | ||
| #256 | Seraphinite Accelerator | 22 | 594 | 255 | 50k+ | Output is not escaped | ||
| #257 | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF | 22 | 1,044 | 799 | 300k+ | Non-prefixed global variable | ||
| #258 | Simple Job Board | 22 | 634 | 1,355 | 10k+ | Non-prefixed global variable | ||
| #259 | Slick Popup: Contact Form 7 Popup Plugin | 22 | 2,322 | 316 | 2k+ | Text Domain Mismatch | ||
| #260 | Slim Jetpack | 22 | 2,586 | 1,947 | 2k+ | Text Domain Mismatch | ||
| #261 | SNS Count Cache | 22 | 918 | 120 | 8k+ | Non Singular String Literal Domain | ||
| #262 | NextScripts: Social Networks Auto-Poster | 22 | 2,408 | 1,133 | 30k+ | Output is not escaped | ||
| #263 | SportsPress – Sports Club & League Manager | 22 | 460 | 2,242 | 10k+ | Non-prefixed global variable | ||
| #264 | SSL Zen — SSL Certificate Installer & HTTPS Redirects | 22 | 785 | 1,588 | 10k+ | Non-prefixed global variable | ||
| #265 | Stylish Price List – Price Table Builder & QR Code Restaurant Menu | 22 | 674 | 678 | 3k+ | Output is not escaped | ||
| #266 | SVG Flags – Beautiful Scalable Flags For All Countries! | 22 | 755 | 1,251 | 2k+ | Non-prefixed global variable | ||
| #267 | Swift Performance Lite | 22 | 2,346 | 1,325 | 7k+ | Text Domain Mismatch | ||
| #268 | Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent | 22 | 225 | 519 | 8k+ | error log error log | ||
| #269 | 10Web Booster – Website speed optimization, Cache & Page Speed optimizer | 22 | 513 | 601 | 80k+ | Non-prefixed global variable | ||
| #270 | The Moneytizer | 22 | 751 | 271 | 1k+ | Text Domain Mismatch | ||
| #271 | Theme Editor | 22 | 798 | 685 | 50k+ | Output is not escaped | ||
| #272 | ThemeHunk Customizer | 22 | 3,969 | 582 | 6k+ | Text Domain Mismatch | ||
| #273 | Customize Feeds for Twitter | 22 | 92 | 171 | 4k+ | Non-prefixed global variable | ||
| #274 | Ultimeter | 22 | 751 | 1,344 | 1k+ | Non-prefixed global variable | ||
| #275 | Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin | 22 | 532 | 2,367 | 40k+ | Direct Query | ||
| #276 | Uncanny Toolkit for LearnDash | 22 | 539 | 994 | 20k+ | Output is not escaped | ||
| #277 | Unlimited Elements Blocks Library | 22 | 708 | 1,822 | 400 | Non-prefixed global variable | ||
| #278 | RapidLoad AI – Optimize Web Vitals Automatically | 22 | 81 | 840 | 700 | Nonce verification recommended | ||
| #279 | Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links | 22 | 1,044 | 1,797 | 20k+ | Non-prefixed global variable | ||
| #280 | URL Shortify – Simple and Easy URL Shortener | 22 | 1,520 | 2,689 | 10k+ | Non-prefixed global variable | ||
| #281 | Welcart e-Commerce | 22 | 10,378 | 10,931 | 10k+ | Text Domain Mismatch | ||
| #282 | Walker Core | 22 | 1,351 | 1,436 | 800 | Non-prefixed global variable | ||
| #283 | WCFM – Frontend Manager for WooCommerce | 22 | 4,754 | 5,054 | 20k+ | Non-prefixed global variable | ||
| #284 | WCFM Marketplace – Multivendor Marketplace for WooCommerce | 22 | 1,934 | 1,966 | 10k+ | Non-prefixed global variable | ||
| #285 | WCFM Membership – WooCommerce Memberships for Multivendor Marketplace | 22 | 559 | 675 | 10k+ | Non-prefixed global variable | ||
| #286 | Wenprise WeChatPay Payment Gateway For WooCommerce | 22 | 443 | 178 | 400 | Exception output is not escaped | ||
| #287 | Fraud Prevention For WooCommerce and EDD | 22 | 572 | 1,394 | 5k+ | Non-prefixed global variable | ||
| #288 | WooCommerce | 22 | 1,359 | 6,172 | 7m+ | Non-prefixed global variable | ||
| #289 | Advanced AJAX Product Filters | 22 | 2,683 | 1,205 | 50k+ | Text Domain Mismatch | ||
| #290 | CoDesigner – All in One Elementor WooCommerce Builder | 22 | 4,131 | 774 | 5k+ | Text Domain Mismatch | ||
| #291 | Simple Shopping Cart | 22 | 796 | 536 | 10k+ | Unsafe printing function | ||
| #292 | ManageWP Worker | 22 | 507 | 565 | 1m+ | Non-prefixed class | ||
| #293 | WP Affiliate Disclosure | 22 | 1,358 | 1,504 | 1k+ | Non-prefixed global variable | ||
| #294 | Asset CleanUp: Page Speed Booster | 22 | 2,030 | 2,485 | 100k+ | Non-prefixed global variable | ||
| #295 | Master Accordion ( Former WP Awesome FAQ Plugin ) | 22 | 1,774 | 1,286 | 700 | Non-prefixed global variable | ||
| #296 | WP Easy Pay – Payment and Donation form Builder for Square | 22 | 910 | 1,835 | 1k+ | Non-prefixed global variable | ||
| #297 | WP Express Checkout (Fast Payments via PayPal & Stripe) | 22 | 591 | 627 | 1k+ | Output is not escaped | ||
| #298 | File Manager | 22 | 740 | 520 | 1m+ | Unsafe printing function | ||
| #299 | WP Fusion Lite – Marketing Automation and CRM Integration for WordPress | 22 | 275 | 683 | 5k+ | Nonce verification recommended | ||
| #300 | WP Umbrella: Update Backup Restore & Monitoring | 22 | 918 | 916 | 70k+ | Exception output is not escaped |