WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3301Sync Post With Other Site39179213k+Non Singular String Literal Domain
#3302Tabify Edit Screen398327500Output is not escaped
#3303Tawk.To Manager3920421700Output is not escaped
#3304Easy Category Icons395043700Text Domain Mismatch
#3305ThemeKit For WordPress3914949700Output is not escaped
#3306OpenHook39172221k+Unsafe printing function
#3307TinyMCE Custom Styles39297767k+Non Singular String Literal Domain
#3308TinyMCE Spellcheck3927322k+Unsafe printing function
#3309TomS reCAPTCHA39128256500Missing nonce verification
#3310Traffic Monitor3961431k+Direct Query
#3311UiChemy — Figma Converter for Elementor, Gutenberg and Bricks3971009k+Nonce verification recommended
#3312Ultimate Client Dash39697122k+Text Domain Mismatch
#3313Ultimate Lightbox39110591k+Unsafe printing function
#3314Unlimited Background Slider396653600Output is not escaped
#3315upPrev3935361k+Dynamic hook name
#3316Uptolike Social Share Buttons3938334k+Output is not escaped
#3317Use Any Font | Custom Font Uploader393655200k+Request data is not unslashed
#3318UserHeat Plugin39121206k+Non Singular String Literal Domain
#3319Accessibility by UserWay39223580k+Direct Query
#3320Smart Variation Swatches and Attribute Filters for WooCommerce3939503k+Output is not escaped
#3321Video Blogster Lite392980700Missing nonce verification
#3322Virusdie | One-click website security39149662k+Output is not escaped
#3323Visual Portfolio, Photo Gallery & Post Grid393418960k+Non-prefixed hook name
#3324BeGateway Payment Gateway for WooCommerce395744400Unsafe printing function
#3325Payments via PayMongo for WooCommerce3936811k+Nonce verification recommended
#3326Smart COD for WooCommerce39502830k+Output is not escaped
#3327WebHotelier for WordPress3945140500Text Domain Mismatch
#3328Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types398911720k+Unsafe printing function
#3329Payment Gateway – nexi Alpha Bank for WooCommerce3996401k+Non Singular String Literal Domain
#3330Woo Button Text395321500Output is not escaped
#3331Combo Offers WooCommerce3938892k+Missing nonce verification
#3332Lucky Wheel for WooCommerce – Spin a Sale39121531k+Request data is not unslashed
#3333CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x39722220k+Non-prefixed hook name
#3334PayU GPO Payment for WooCommerce39449110k+Output is not escaped
#3335Modal Fly Cart & AJAX Add to Cart for WooCommerce3983742k+Text Domain Mismatch
#3336WooCommerce Product Dependencies3944603k+Missing nonce verification
#3337Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools39322668k+Output is not escaped
#3338WP Accessibility3920010460k+Unsafe printing function
#3339WP Add Custom CSS39452360k+Output is not escaped
#3340WP Attachments3949443k+Output is not escaped
#3341WP-Cycle3953173k+Output is not escaped
#3342WP Gmail SMTP3999501k+Text Domain Mismatch
#3343WP Limit Login Attempts39266710k+Direct Query
#3344WP Most Popular3950352k+Output is not escaped
#3345WP Multibyte Patch3924551m+Input is not sanitized
#3346WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload39592710k+Unsafe printing function
#3347WP Revision Master399629900Text Domain Mismatch
#3348WP SendGrid SMTP3999501k+Text Domain Mismatch
#3349WP Server Health Stats39663110k+Output is not escaped
#3350WP Sitemaps Config398837700Output is not escaped