WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3651Easy Social Like Box – Popup – Sidebar Widget41217917k+Text Domain Mismatch
#3652Categorized Tag Cloud4144171k+Output is not escaped
#3653Conditional Fields for Contact Form 74110653100k+Output is not escaped
#3654CF7 Invisible reCAPTCHA4119527k+Request data is not unslashed
#3655ChatBot Conversational AI Support4172321k+Short PHP open tag found
#3656Checklist416225400Text Domain Mismatch
#3657clickskeks.at Cookiebanner412118500Unsafe printing function
#3658CloudGuard4141131k+Output is not escaped
#3659CMS Tree Page View – Reorder Pages with a Drag-and-Drop Tree411219650k+Unsafe printing function
#3660CoinPayments.net Payment Gateway for WooCommerce4151321k+Text Domain Mismatch
#3661Colorful Categories4120202k+Output is not escaped
#3662Comments Like Dislike41172205k+Non Singular String Literal Domain
#3663Contact Form 7 Captcha41775100k+Request data is not unslashed
#3664Content Widget41729400Output is not escaped
#3665Contribuinte Checkout4130301k+Output is not escaped
#3666Controlled Admin Access41224010k+Nonce verification recommended
#3667Cookie Notice & Consent41101291k+Output is not escaped
#3668Simple Website Banner411068700Output is not escaped
#3669Custom Meta412329700Output is not escaped
#3670Dashboard Notepad41293410k+Missing nonce verification
#3671Database for CF74137322k+Text Domain Mismatch
#3672Debug Bar41642520k+Output is not escaped
#3673Developer Loggers for Simple History414628400Text Domain Mismatch
#3674DevVN Local Store4184281k+Unsafe printing function
#3675Dinamize414165500Output is not escaped
#3676Disable Everything41901630k+Output is not escaped
#3677Disqus Conditional Load4138143k+Output is not escaped
#3678Dropdown multisite selector418213900Unsafe printing function
#3679DSGVO Youtube4148291k+Unsafe printing function
#3680Duplicate Post Page Menu & Custom Post Type41351110k+Text Domain Mismatch
#3681Duplicate Page and Post41262180k+Unsafe printing function
#3682Easy Random Quotes414214500Output is not escaped
#3683Edit Lock414722500Non Singular String Literal Domain
#3684Email Address Encoder411098100k+wp function not compatible with requires wp
#3685Essential Form – The lightest plugin for contact forms, ultra lightweight and no spam412153500Missing nonce verification
#3686Payment Gateway of PayPal for WooCommerce41441847k+Nonce verification recommended
#3687Extra User Details4184151k+Non Singular String Literal Domain
#3688Fast Chat Button41241881k+Non-prefixed global variable
#3689Featured Audio41549400Output is not escaped
#3690Featured Image Generator4131161k+Output is not escaped
#3691Flexible Posts Widget41136337k+Output is not escaped
#3692Gallery Lightbox41471610k+Output is not escaped
#3693Google Authenticator41396520k+Output is not escaped
#3694(Simply) Guest Author Name4135362k+Output is not escaped
#3695SNORDIAN's H5PxAPIkatchu4111988500SQL query is not prepared
#3696Hide My Dates415011400Unsafe printing function
#3697Hide WP Admin Login412339500Nonce verification recommended
#3698Highcompress Image Compressor4110669600Text Domain Mismatch
#3699iCount Payment Gateway4115222500Text Domain Mismatch
#3700Import external attachments4118262k+Output is not escaped