WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#251RealPress – Real Estate Plugin226041,167500Non-prefixed global variable
#252Restrict User Access – Ultimate Membership & Content Protection229771,84010k+Non-prefixed global variable
#253Salon Booking System – Free Version226556202k+Missing direct file access protection
#254Social Sharing Plugin – Sassy Social Share221,689233100k+wp function not compatible with requires wp
#255Sellsy22586490400Non Singular String Literal Domain
#256Seraphinite Accelerator2259425550k+Output is not escaped
#257ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF221,044799300k+Non-prefixed global variable
#258Simple Job Board226341,35510k+Non-prefixed global variable
#259Slick Popup: Contact Form 7 Popup Plugin222,3223162k+Text Domain Mismatch
#260Slim Jetpack222,5861,9472k+Text Domain Mismatch
#261SNS Count Cache229181208k+Non Singular String Literal Domain
#262NextScripts: Social Networks Auto-Poster222,4081,13330k+Output is not escaped
#263SportsPress – Sports Club & League Manager224602,24210k+Non-prefixed global variable
#264SSL Zen — SSL Certificate Installer & HTTPS Redirects227851,58810k+Non-prefixed global variable
#265Stylish Price List – Price Table Builder & QR Code Restaurant Menu226746783k+Output is not escaped
#266SVG Flags – Beautiful Scalable Flags For All Countries!227551,2512k+Non-prefixed global variable
#267Swift Performance Lite222,3461,3257k+Text Domain Mismatch
#268Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent222255198k+error log error log
#26910Web Booster – Website speed optimization, Cache & Page Speed optimizer2251360180k+Non-prefixed global variable
#270The Moneytizer227512711k+Text Domain Mismatch
#271Theme Editor2279868550k+Output is not escaped
#272ThemeHunk Customizer223,9695826k+Text Domain Mismatch
#273Customize Feeds for Twitter22921714k+Non-prefixed global variable
#274Ultimeter227511,3441k+Non-prefixed global variable
#275Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin225322,36740k+Direct Query
#276Uncanny Toolkit for LearnDash2253999420k+Output is not escaped
#277Unlimited Elements Blocks Library227081,822400Non-prefixed global variable
#278RapidLoad AI – Optimize Web Vitals Automatically2281840700Nonce verification recommended
#279Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links221,0441,79720k+Non-prefixed global variable
#280URL Shortify – Simple and Easy URL Shortener221,5202,68910k+Non-prefixed global variable
#281Welcart e-Commerce2210,37810,93110k+Text Domain Mismatch
#282Walker Core221,3511,436800Non-prefixed global variable
#283WCFM – Frontend Manager for WooCommerce224,7545,05420k+Non-prefixed global variable
#284WCFM Marketplace – Multivendor Marketplace for WooCommerce221,9341,96610k+Non-prefixed global variable
#285WCFM Membership – WooCommerce Memberships for Multivendor Marketplace2255967510k+Non-prefixed global variable
#286Wenprise WeChatPay Payment Gateway For WooCommerce22443178400Exception output is not escaped
#287Fraud Prevention For WooCommerce and EDD225721,3945k+Non-prefixed global variable
#288WooCommerce221,3596,1727m+Non-prefixed global variable
#289Advanced AJAX Product Filters222,6831,20550k+Text Domain Mismatch
#290CoDesigner – All in One Elementor WooCommerce Builder224,1317745k+Text Domain Mismatch
#291Simple Shopping Cart2279653610k+Unsafe printing function
#292ManageWP Worker225075651m+Non-prefixed class
#293WP Affiliate Disclosure221,3581,5041k+Non-prefixed global variable
#294Asset CleanUp: Page Speed Booster222,0302,485100k+Non-prefixed global variable
#295Master Accordion ( Former WP Awesome FAQ Plugin )221,7741,286700Non-prefixed global variable
#296WP Easy Pay – Payment and Donation form Builder for Square229101,8351k+Non-prefixed global variable
#297WP Express Checkout (Fast Payments via PayPal & Stripe)225916271k+Output is not escaped
#298File Manager227405201m+Unsafe printing function
#299WP Fusion Lite – Marketing Automation and CRM Integration for WordPress222756835k+Nonce verification recommended
#300WP Umbrella: Update Backup Restore & Monitoring2291891670k+Exception output is not escaped