WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3551Show Pages URL List40292341k+Non-prefixed global variable
#3552Simple Statistics for Feeds4064131800Nonce verification recommended
#3553Simple Link List Widget4012982k+Output is not escaped
#3554Simple Page Sidebars40556520k+Output is not escaped
#3555Sinatra Core40101158k+Output is not escaped
#3556Specific Content For Mobile – Customize the mobile version without redirections40261554k+Nonce verification recommended
#3557SportsPress for Cricket4012234500Text Domain Mismatch
#3558ST Demo Importer402775700Missing nonce verification
#3559Stax Addons for Elementor4014381500Output is not escaped
#3560Developer Tools Blocker403547400strip tags strip tags
#3561Tagging403337500Output is not escaped
#3562Tealium407319600Unsafe printing function
#3563Theme Toolkit405314400Output is not escaped
#3564Theme and plugin translation for Polylang (TTfP)401026210k+Text Domain Mismatch
#3565Multiple Shipping Addresses for WooCommerce (Address Book)40212082k+Non-prefixed global variable
#3566ThemeZee Toolkit40441166k+Nonce verification recommended
#3567Thin Out Revisions409335800Non Singular String Literal Domain
#3568Timed Content4076635k+Unsafe printing function
#3569Timeline History403117500Output is not escaped
#3570Track Geolocation Of Users Using Contact Form 74017173900Nonce verification recommended
#3571turboSMTP40114112400Unsafe printing function
#3572Ultimate Dashboard – Custom WordPress Dashboard401714460k+Input is not sanitized
#3573Ultimate Noindex Nofollow Tool II4038513k+Input is not validated
#3574Ultimate Member – ForumWP forum integration403173500Nonce verification recommended
#3575Universal Honey Pot4023941k+Missing nonce verification
#3576Unlimited Logo Carousel4028615500Text Domain Mismatch
#3577Upcoming Events Lists407517900Text Domain Mismatch
#3578Url Rewrite Analyzer407323400Unsafe printing function
#3579UsersWP – ReCaptcha4080173k+Text Domain Mismatch
#3580UTM Leads Tracker – XLPlugins402138400Output is not escaped
#3581Visibility Control for LearnDash4055231k+Missing Arg Domain
#3582Visibility Control for LearnPress405219700Missing Arg Domain
#3583Visma Pay for Woocommerce4027372k+Output is not escaped
#3584Visual Builder for Contact Form 7402043500Output is not escaped
#3585Visual Editor Custom Buttons4030484k+Output is not escaped
#3586WP Sticky Button – Click to Chat40736410k+Non-prefixed global variable
#3587WooBooster Partial COD for WooCommerce409051500Text Domain Mismatch
#3588Where Did You Hear About Us Checkout Field for WooCommerce4057661k+Output is not escaped
#3589WC Search Orders By Product404766800Nonce verification recommended
#3590Webo-facto401090800Input is not sanitized
#3591Weight Based Pricing for WooCommerce4016786600Text Domain Mismatch
#3592Widget Builder404052500Non-prefixed global variable
#3593Widget Menuizer404426600Missing Arg Domain
#3594Widget Visibility Without Jetpack4074475k+Text Domain Mismatch
#3595Widgets Control409247800Output is not escaped
#3596Payment Gateway – nexi Alpha Bank for WooCommerce4028451k+Missing nonce verification
#3597Preview E-mails for WooCommerce40353730k+Unsafe printing function
#3598NP Quote Request for WooCommerce40911459k+Non-prefixed global variable
#3599Total Sales Counts for WooCommerce4012162700SQL query is not prepared
#3600yubikey-plugin406433400Text Domain Mismatch