WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #3001 | WP-SWFObject | 60 | 14 | 24 | 1k+ | Deprecated parameter: add_option parameter 3 | |
| #3002 | Ads.txt Manager | 61 | 33 | 16 | 4k+ | Text Domain Mismatch | |
| #3003 | Compact WP Audio Player | 61 | 12 | 21 | 20k+ | Non-prefixed function | |
| #3004 | Disable Right Click For WP | 61 | 15 | 12 | 10k+ | Missing nonce verification | |
| #3005 | ELEX WooCommerce Catalog Mode | 61 | 97 | 49 | 10k+ | Text Domain Mismatch | |
| #3006 | GetPaid Stripe Payments | 61 | 206 | 44 | 2k+ | Text Domain Mismatch | |
| #3007 | GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor | 61 | 9 | 119 | 70k+ | Non-prefixed global variable | |
| #3008 | Marker.io – Visual Website Feedback | 61 | 6 | 31 | 4k+ | Request data is not unslashed | |
| #3009 | Reorder Posts – Quick Post Type and Page Ordering | 61 | 10 | 23 | 10k+ | Request data is not unslashed | |
| #3010 | Multiple Post Passwords | 61 | 13 | 15 | 2k+ | Output is not escaped | |
| #3011 | Powerkit – Supercharge your WordPress Site | 61 | 67 | 115 | 10k+ | Non-prefixed global variable | |
| #3012 | Qikink Print On Demand and DropShipping | 61 | 14 | 23 | 1k+ | Input is not validated | |
| #3013 | Remove Featured Image | 61 | 21 | 12 | 1k+ | Missing Arg Domain | |
| #3014 | SHK Hide Title | 61 | 19 | 4 | 3k+ | Output is not escaped | |
| #3015 | Slider Factory | 61 | 3 | 414 | 2k+ | Non-prefixed global variable | |
| #3016 | Team Showcase | 61 | 1 | 125 | 1k+ | slow db query meta key | |
| #3017 | Two Factor (2FA) Authentication via Email | 61 | 12 | 27 | 9k+ | Request data is not unslashed | |
| #3018 | More Sorting Options for WooCommerce | 61 | 27 | 17 | 3k+ | Output is not escaped | |
| #3019 | WP-CORS | 61 | 7 | 23 | 1k+ | error log error log | |
| #3020 | RSS Feed Retriever | 61 | 23 | 8 | 7k+ | wp function not compatible with requires wp | |
| #3021 | Add Meta Tag Keywords | 62 | 6 | 15 | 1k+ | Missing nonce verification | |
| #3022 | ARI Fancy Lightbox – Popup for WordPress | 62 | 8 | 107 | 10k+ | Non-prefixed namespace | |
| #3023 | Bulk edit publish date | 62 | 11 | 16 | 2k+ | Nonce verification recommended | |
| #3024 | Bulk Page Creator | 62 | 9 | 17 | 10k+ | Request data is not unslashed | |
| #3025 | Carousel Slider | 62 | 71 | 30k+ | Non-prefixed global variable | ||
| #3026 | Custom Permalink Editor | 62 | 4 | 51 | 3k+ | Non-prefixed hook name | |
| #3027 | Custom Sidebars by ProteusThemes | 62 | 17 | 23 | 1k+ | Missing nonce verification | |
| #3028 | Disable Visual Editor WYSIWYG | 62 | 10 | 12 | 1k+ | Nonce verification recommended | |
| #3029 | GetGenie – AI Content Writer with Keyword Research & SEO Tracking | 62 | 13 | 39 | 80k+ | Nonce verification recommended | |
| #3030 | Cron Jobs | 62 | 21 | 33 | 2k+ | Nonce verification recommended | |
| #3031 | MainWP Key Maker | 62 | 3 | 35 | 4k+ | Input is not sanitized | |
| #3032 | Proofreading | 62 | 11 | 74 | 5k+ | Direct Query | |
| #3033 | Responsive Slider Gallery – Responsive Image Photo Slider | 62 | 32 | 122 | 2k+ | Non-prefixed global variable | |
| #3034 | Easy SSL Plugin for SAKURA Rental Server | 62 | 23 | 17 | 50k+ | Input is not sanitized | |
| #3035 | Single Post Template | 62 | 14 | 8 | 4k+ | Text Domain Mismatch | |
| #3036 | Sitewide Notice WP | 62 | 6 | 13 | 3k+ | Output is not escaped | |
| #3037 | Testimonial Carousel For Elementor | 62 | 34 | 56 | 10k+ | No Html Wrapped Strings | |
| #3038 | Satispay for WooCommerce | 62 | 19 | 12 | 7k+ | Exception output is not escaped | |
| #3039 | WooCommerce Product Fees | 62 | 6 | 25 | 2k+ | Missing nonce verification | |
| #3040 | WP Downloader | 62 | 11 | 15 | 2k+ | Output is not escaped | |
| #3041 | Wp Theme plugin Download | 62 | 11 | 16 | 2k+ | Output is not escaped | |
| #3042 | XPoster – Share to Bluesky and Mastodon | 62 | 26 | 36 | 10k+ | Missing nonce verification | |
| #3043 | Zen Menu Logic | 62 | 19 | 3 | 1k+ | Output is not escaped | |
| #3044 | Automatic Featured Images from Videos | 63 | 14 | 13 | 7k+ | Missing direct file access protection | |
| #3045 | DW Block User Account | 63 | 6 | 11 | 1k+ | Unsafe printing function | |
| #3046 | Categories Images | 63 | 10 | 21 | 50k+ | wp function not compatible with requires wp | |
| #3047 | Category Sticky Post | 63 | 4 | 24 | 3k+ | Missing nonce verification | |
| #3048 | Christmasify! | 63 | 18 | 7 | 3k+ | Output is not escaped | |
| #3049 | Classic Editor | 63 | 17 | 7 | 9m+ | Unsafe printing function | |
| #3050 | Classic Editor and Classic Widgets | 63 | 18 | 41 | 20k+ | Nonce verification recommended |
