WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3051 | Hide Admin Bar From Front End | 63 | 8 | 17 | 1k+ | Input is not validated | ||
| #3052 | Include Klaviyo for Elementor pro | 63 | 60 | 10 | 2k+ | Missing Arg Domain | ||
| #3053 | Mantenimiento web | 63 | 49 | 15 | 20k+ | Text Domain Mismatch | ||
| #3054 | Missed Scheduled Posts Publisher by WPBeginner | 63 | 16 | 17 | 30k+ | Text Domain Mismatch | ||
| #3055 | Redirect 404 to Home Page – Custom URL | 63 | 9 | 11 | 4k+ | Output is not escaped | ||
| #3056 | Simple Membership After Login Redirection | 63 | 4 | 24 | 10k+ | Missing nonce verification | ||
| #3057 | PayPing Gateway For Woocommerce | 63 | 11 | 40 | 1k+ | Non-prefixed hook name | ||
| #3058 | Phone Validator for WooCommerce | 63 | 8 | 33 | 1k+ | Missing nonce verification | ||
| #3059 | WPC Variation Bulk Editor for WooCommerce | 63 | 13 | 32 | 1k+ | Request data is not unslashed | ||
| #3060 | UniqueID for Contact Form 7 | 64 | 21 | 18 | 2k+ | Text Domain Mismatch | ||
| #3061 | Download Theme | 64 | 18 | 20 | 4k+ | wp function not compatible with requires wp | ||
| #3062 | ELEX WooCommerce Product Price Custom Text (Before & After Text) and Discount | 64 | 444 | 137 | 2k+ | Missing Arg Domain | ||
| #3063 | Estonian Shipping Methods for WooCommerce | 64 | 97 | 16 | 1k+ | Text Domain Mismatch | ||
| #3064 | Icon Element – Icon Pack for Elementor Page Builder (6718 icons) | 64 | 30 | 16 | 40k+ | wp function not compatible with requires wp | ||
| #3065 | Inactive Logout | 64 | 30 | 71 | 10k+ | Non-prefixed global variable | ||
| #3066 | Inline Related Posts | 64 | 17 | 39 | 100k+ | Nonce verification recommended | ||
| #3067 | Kama SpamBlock | 64 | 29 | 7 | 5k+ | Short PHP open tag found | ||
| #3068 | Moosend Website Connector | 64 | 15 | 12 | 1k+ | Non Singular String Literal Domain | ||
| #3069 | Nofollow for external link | 64 | 8 | 5 | 10k+ | Output is not escaped | ||
| #3070 | Stag Custom Sidebars | 64 | 10 | 12 | 2k+ | Text Domain Mismatch | ||
| #3071 | Oceanwp sticky header | 64 | 8 | 13 | 10k+ | Missing nonce verification | ||
| #3072 | 64 | 27 | 23 | 9k+ | Missing Translators Comment | |||
| #3073 | WProofreader spell & grammar check plugin for WordPress | 64 | 12 | 43 | 4k+ | Non-prefixed global variable | ||
| #3074 | WP REST API Controller | 64 | 8 | 22 | 8k+ | Nonce verification recommended | ||
| #3075 | WP REST Cache | 64 | 11 | 113 | 10k+ | Direct Query | ||
| #3076 | WP Search with Algolia | 64 | 33 | 12 | 7k+ | Missing direct file access protection | ||
| #3077 | WP Term Order | 64 | 2 | 26 | 6k+ | Nonce verification recommended | ||
| #3078 | YaMaps for WordPress Plugin | 64 | 21 | 30 | 10k+ | Non-prefixed global variable | ||
| #3079 | Authorizer | 65 | 3 | 54 | 5k+ | Nonce verification recommended | ||
| #3080 | Contact Form 7 – Success Page Redirects | 65 | 5 | 15 | 10k+ | Input is not sanitized | ||
| #3081 | Custom Global Variables | 65 | 14 | 12 | 5k+ | Output is not escaped | ||
| #3082 | Custom Share Buttons with Floating Sidebar | 65 | 164 | 20 | 4k+ | Text Domain Mismatch | ||
| #3083 | Cyr to Lat Reloaded – Transliteration of Links and File Names | 65 | 13 | 36 | 30k+ | Direct Query | ||
| #3084 | Disable REST API | 65 | 12 | 15 | 90k+ | Output is not escaped | ||
| #3085 | Live Chat with Messenger Customer Chat | 65 | 10 | 23 | 3k+ | Input is not sanitized | ||
| #3086 | Featured Galleries | 65 | 15 | 10 | 3k+ | Output is not escaped | ||
| #3087 | HTACCESS IP Blocker | 65 | 5 | 14 | 3k+ | Missing nonce verification | ||
| #3088 | License For Envato | 65 | 9 | 28 | 9k+ | Non-prefixed global variable | ||
| #3089 | Multi Image Metabox | 65 | 17 | 8 | 6k+ | Output is not escaped | ||
| #3090 | MW WP Form reCAPTCHA | 65 | 11 | 14 | 2k+ | Input is not sanitized | ||
| #3091 | Notibar – Notification Bar for WordPress | 65 | 43 | 60 | 8k+ | wp function not compatible with requires wp | ||
| #3092 | Read More Excerpt Link | 65 | 19 | 8 | 3k+ | Output is not escaped | ||
| #3093 | Web and WooCommerce Addons for WPBakery Builder | 65 | 497 | 123 | 1k+ | Text Domain Mismatch | ||
| #3094 | VK Link Target Controller | 65 | 13 | 10 | 30k+ | Output is not escaped | ||
| #3095 | Add to Cart Text Changer and Customize Button, Add Custom Icon | 65 | 87 | 18 | 2k+ | Text Domain Mismatch | ||
| #3096 | Ajaxify Comments – Ajax and Lazy Loading Comments | 65 | 20 | 38 | 3k+ | Non-prefixed hook name | ||
| #3097 | WP Change Default From Email | 65 | 51 | 7 | 10k+ | Non Singular String Literal Domain | ||
| #3098 | ACF: Rus-To-Lat | 66 | 15 | 11 | 2k+ | Output is not escaped | ||
| #3099 | Bulk Term Generator – Import multiple tags, categories, and taxonomies easily | 66 | 8 | 31 | 2k+ | Request data is not unslashed | ||
| #3100 | Social comments by WpDevArt | 66 | 9 | 19 | 9k+ | Missing Version |
