WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3351WP Social Widget3923974k+Output is not escaped
#3352AidWP – Donation & Payment Forms (Stripe Powered)39193800Non-prefixed global variable
#3353SEO Auto Linker3997623k+Unsafe printing function
#3354Categories to Tags Converter39863850k+Output is not escaped
#3355WPS Child Theme Generator39111856k+Unsafe printing function
#3356WPS Limit Login3915276100k+Output is not escaped
#3357Yandex Metrica39924620k+Output is not escaped
#3358YITH Custom Login3986335k+Output is not escaped
#3359You can quote me on that395737400Output is not escaped
#3360htaccess protect392833800Input is not validated
#3361404 Notifier403941700Output is not escaped
#3362AccessibleWP – ALT Detector405514500Text Domain Mismatch
#3363ACF qTranslate40184258k+Output is not escaped
#3364ACF Theme Code for Advanced Custom Fields404784010k+Output is not escaped
#3365ACF to Custom Database Tables403664600Nonce verification recommended
#3366Add Pinterest conversion tags for Pinterest Ads + Site verification4088261k+Output is not escaped
#3367Add & Replace Affiliate Links for Amazon403952600Output is not escaped
#3368Subscribe Button by AddToAny409347900Output is not escaped
#3369Address Autocomplete Anything409432900Unsafe printing function
#3370Admin Search4031471k+Output is not escaped
#3371Advanced Admin Search407948600Non Singular String Literal Text
#3372Advanced Country Blocker4023772k+Exception output is not escaped
#3373Advanced Custom Fields: Font Awesome Field403327090k+Text Domain Mismatch
#3374Advanced IP Blocker4094442k+Exception output is not escaped
#3375Advanced WooCommerce Product Gallery Slider4042483k+Non-prefixed global variable
#3376Advanced WPLink4067191k+Text Domain Mismatch
#3377AgreeMe Checkboxes For WooCommerce408844600Text Domain Mismatch
#3378AJAX Thumbnail Rebuild40381430k+Unsafe printing function
#3379Allow Multiple Accounts40115199k+Non Singular String Literal Domain
#3380amCharts: Charts and Maps402631132k+Text Domain Mismatch
#3381Analytics Cat – Google Analytics Made Easy4083276k+Text Domain Mismatch
#3382Animated Live Wall Gallery4027722k+Request data is not unslashed
#3383Athemes Toolbox40254583k+Text Domain Mismatch
#3384Attachment Importer4024763k+Input is not sanitized
#3385Auto Upload Images40621320k+Unsafe printing function
#3386Autocomplete LearnDash Lessons and Topics4046161k+Missing Arg Domain
#3387AutoConvert Greeklish Permalinks401161330k+Text Domain Mismatch
#3388Mastodon Autopost404150800Output is not escaped
#3389Back To The Top Button40312714k+Non-prefixed global variable
#3390Bangladeshi Payment Gateways – Make Payment Using QR Code4040365k+Output is not escaped
#3391Basic Interactive World Map4094541k+Text Domain Mismatch
#3392bbPress WP Tweaks40147181k+Output is not escaped
#3393Better Internal Link Search4023481k+strip tags strip tags
#3394BH Custom CSS3 Preloader – Just play and play4043926900Text Domain Mismatch
#3395Billingo Official for WooCommerce4025373k+Output is not escaped
#3396Black Studio TinyMCE Widget403928200k+Output is not escaped
#3397Broken Link Notifier40111931k+Non-prefixed global variable
#3398Bubble Menu – Floating Button Menu with Sticky Navigation4022161k+Nonce verification recommended
#3399BuddyPress Profile Completion402830500Output is not escaped
#3400Bulk Add Terms407427800Text Domain Mismatch