WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #3451 | Publish To Apple News | 90 | 882 | 2 | 5k+ | Text Domain Mismatch | |
| #3452 | Relevanssi Live Ajax Search | 90 | 4 | 22 | 6k+ | Non Prefixed Variable Found | |
| #3453 | Simple Chat Button | 90 | 1 | 4 | 40k+ | Missing Unslash | |
| #3454 | Astra Bulk Edit | 91 | 4 | 3 | 30k+ | missing direct file access protection | |
| #3455 | Icon List Block – Add Icon-Based Lists with Custom Styles | 91 | 3 | 7 | 4k+ | Not In Footer | |
| #3456 | Ollie Menu Designer | 91 | 43 | 3k+ | Non Prefixed Variable Found | ||
| #3457 | Pantheon Advanced Page Cache | 91 | 10 | 6 | 10k+ | Missing Unslash | |
| #3458 | Responsive Tabs | 91 | 59 | 9 | 4k+ | Non Singular String Literal Domain | |
| #3459 | WebAuthn Provider for Two Factor | 91 | 6 | 14 | 1k+ | Missing Arg Domain | |
| #3460 | Unveil Lazy Load | 91 | 2 | 6 | 2k+ | error log error log | |
| #3461 | Ads.txt Manager | 92 | 4 | 4 | 100k+ | missing direct file access protection | |
| #3462 | Daisy Titles — Style & Hide Page and Post Titles | 92 | 1 | 5 | 3k+ | Input Not Sanitized | |
| #3463 | External Permalinks Redux | 92 | 9 | 8 | 2k+ | Non Prefixed Hookname Found | |
| #3464 | Fluent Forms Block | 92 | 4 | 18 | 2k+ | Non Prefixed Variable Found | |
| #3465 | Clear Autoptimize Cache Automatically | 93 | 3 | 9 | 4k+ | Missing Unslash | |
| #3466 | Disable Blog | 93 | 2 | 22 | 20k+ | Non Prefixed Variable Found | |
| #3467 | Image Carousel Module for Divi | 93 | 131 | 3 | 9k+ | Text Domain Mismatch | |
| #3468 | Version Info – Server Health Monitor, PHP & MySQL Version Display, Environment Indicators | 93 | 13 | 10k+ | Missing Unslash | ||
| #3469 | Gravity Forms Zero Spam | 94 | 4 | 9 | 100k+ | trademarked term | |
| #3470 | Blocks Animation: CSS Animations for Gutenberg Blocks | 95 | 1 | 14 | 90k+ | Non Prefixed Variable Found |
