WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3151BuddyPress Default Cover Photo396239500Output is not escaped
#3152BugSnag Error Monitoring plugin3952962k+wp function not compatible with requires wp
#3153Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)39164710k+Request data is not unslashed
#3154Bulk NoIndex & NoFollow Toolkit39721722k+Nonce verification recommended
#3155Better WordPress External Links3913035400Non Singular String Literal Domain
#3156Cache Images3972271k+Unsafe printing function
#3157Calculator Builder – Create an Online Calculator39162211k+Non-prefixed global variable
#3158Saitama Addon Pack39152271k+Output is not escaped
#3159Contact Form 7 extension for Google Map fields3911858500Missing Arg Domain
#3160Configurable Tag Cloud (CTC)391261212k+Output is not escaped
#3161Constant Contact + WooCommerce3927911k+Nonce verification recommended
#3162Contact Form 7 – Dynamic Text Extension3910328100k+Output is not escaped
#3163Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR)39284580k+Missing nonce verification
#3164Content Visibility for Divi Builder39184592k+Non Singular String Literal Domain
#3165Cookies for Comments39222920k+Input is not validated
#3166Country & Phone Field Contact Form 7391173440k+Text Domain Mismatch
#3167Culqi39571881k+Text Domain Mismatch
#3168Custom Metadata Manager398120700Output is not escaped
#3169Custom Post Order391432400Input is not sanitized
#3170Custom Post Type Auto Menu395433500Text Domain Mismatch
#3171Custom Related Posts39131343k+Output is not escaped
#3172Custom Thank You for WooCommerce3910757400Output is not escaped
#3173Da Reactions3915140400Request data is not unslashed
#3174Dashboard Cleaner394091500Missing nonce verification
#3175Datalogics Ecommerce Delivery – Datalogics3913115500Nonce verification recommended
#3176DefendWP Firewall39162033k+Non-prefixed global variable
#3177Deliverability – pass DKIM, SPF, DMARC & more392171800Nonce verification recommended
#3178WeShareAI – AI-Powered Share Buttons (formerly E-MAILiT)3916524700Unsafe printing function
#3179Easy PayPal Events & Tickets39285501k+Request data is not unslashed
#3180Editor Menu and Widget Access3981247k+Output is not escaped
#3181ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor39733481m+Non-prefixed global variable
#3182Email Marketing by EmailOctopus3943623k+Non-prefixed global variable
#3183Events Manager – Zoom Integration3914143700Output is not escaped
#3184BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress394802264k+Text Domain Mismatch
#3185FaniMani.pl3910311600Output is not escaped
#3186Faster Image Insert3994262k+Output is not escaped
#3187Favorites3918712310k+Unsafe printing function
#3188First Order Discount Woocommerce3955301k+Output is not escaped
#3189Fix Duplicates397673800Output is not escaped
#3190Flamix: Bitrix24 and WooCommerce Orders integration398131500Output is not escaped
#3191Flex Import3915132500Non-prefixed global variable
#3192Floating Action Button39164691k+Unsafe printing function
#3193GDPRess | Eliminate external requests to increase GDPR compliance3960261k+Output is not escaped
#3194Genesis Dambuster3994673k+Output is not escaped
#3195GF Mollie by Indigo398233900Exception output is not escaped
#3196Gift Up Gift Cards for WordPress and WooCommerce3994605k+Output is not escaped
#3197GL Import External Images3911819800wp function not compatible with requires wp
#3198Prisna GWT – Google Website Translator39117778k+Text Domain Mismatch
#3199GoSMTP – SMTP for WordPress395942500k+Output is not escaped
#3200Graphina – Charts and Graphs For Elementor391,91011310k+Text Domain Mismatch