WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3401Bulk Delete Comments4016615k+Direct Query
#3402Bulk Featured Image4069117800Output is not escaped
#3403Bulk Move4085449k+Unsafe printing function
#3404Buy one Get one Free – BOGO discount rule maker for WooCommerce4011957400Text Domain Mismatch
#3405Coming soon Page402418500Text Domain Mismatch
#3406Custom Cart Link for WooCommerce402416700Unsafe printing function
#3407Catalog for Woocommerce4092751k+Output is not escaped
#3408Categories Metabox Enhanced4077361k+Output is not escaped
#3409Category Featured Images Extended4017740400Text Domain Mismatch
#3410CleverReach Integration for Contact Form 74010343700Text Domain Mismatch
#3411Contact form 7 TO API + Basic Auth4073301k+Non Singular String Literal Domain
#3412Contact Form 7 to Mailjet407039600Output is not escaped
#3413Classified Ads40136381k+Text Domain Mismatch
#3414Cleaner Gallery404082k+Unsafe printing function
#3415Client Portal – Private user pages and login4052293k+Output is not escaped
#3416Client Portal : SuiteDash Direct Login4093171k+Text Domain Mismatch
#3417codoc4019392k+Request data is not unslashed
#3418Complete Image Sitemap4055181k+Output is not escaped
#3419Conditional WooCommerce Checkout Field408422400Unsafe printing function
#3420Contact Form 7 GetResponse Extension4088181k+Text Domain Mismatch
#3421Contact Form 7 Multi-Step Forms40654150k+Output is not escaped
#3422Database Addon for Contact Form 7 – CFDB7403556600k+Nonce verification recommended
#3423Free Cookie Notice & Consent Banner for Privacy Compliance (GDPR, CCPA, DSGVO and others)4039156k+Missing direct file access protection
#3424Copyscape Premium40148133800SQL query is not prepared
#3425Country State City Dropdown CF74035545k+Direct Query
#3426Coupon Generator for WooCommerce40392810k+Unsafe printing function
#3427Crisp – Live Chat and Chatbot40242020k+Unsafe printing function
#3428Cryout Serious Theme Settings403325140k+Output is not escaped
#3429Cryptocurrency Widgets Pack4022252700Unsafe printing function
#3430Crypto Price Widgets – CryptoWP4010343600Output is not escaped
#3431Custom Contact Forms40131066k+Missing nonce verification
#3432Custom Simple Rss40731302k+Nonce verification recommended
#3433Dashboard Welcome for Beaver Builder4038242k+Output is not escaped
#3434Dashify: WooCommerce admin dashboard theme4016131900Nonce verification recommended
#3435Delete Me40116177k+Output is not escaped
#3436Donation Thermometer40324882k+Output is not escaped
#3437Duplicate Page4039433m+Unsafe printing function
#3438Easy Document Embedder – Embed Word, excel, Powerpoint, Pdf file and more..405527500Output is not escaped
#3439Enhanced Custom Permalinks4051821k+Nonce verification recommended
#3440Eventer4061551k+Output is not escaped
#3441Expiring Posts405220900Missing Arg Domain
#3442FameTheme Demo Importer4087430k+Nonce verification recommended
#3443FAQ Schema – Accordion, Tab, Slider & Gutenberg Block40253462k+Output is not escaped
#3444Far Future Expiry Header4025367k+Request data is not unslashed
#3445Fast User Switching4028282k+Output is not escaped
#3446Featured Post403618800Output is not escaped
#3447Flamingo4015228800k+Nonce verification recommended
#3448FluentComments – Spam protection, AntiSpam, Ajax Enhanced Comments405047700Non-prefixed global variable
#3449Flying Scripts: Delay JavaScript to Improve Site Speed & Performance40234430k+Missing direct file access protection
#3450FlyWP Helper – Page Cache, Page Optimization, Emails for FlyWP Server Control Panel4020814k+Non-prefixed global variable