WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3701Insert JavaScript and CSS416419400Text Domain Mismatch
#3702Multiple Themes411124110k+Output is not escaped
#3703Social Sharing Plugin – Kiwi4123804k+Non-prefixed global variable
#3704Central Color Palette41733310k+Output is not escaped
#3705Lazy Load Optimizer4163263k+Unsafe printing function
#3706LH Agree to Terms415932800Output is not escaped
#3707Lockdown WP Admin41205010k+Request data is not unslashed
#3708Log cleaner for Solid Security4165478k+Text Domain Mismatch
#3709Magic Liquidizer Responsive Table41114386k+Text Domain Mismatch
#3710MaxLimits – Increase Maximum Upload, Post & PHP Limits4199162k+Unsafe printing function
#3711MaxSlider4121457k+Output is not escaped
#3712Media Grid4142442k+Missing Arg Domain
#3713Mihdan: Yandex Turbo Feed4165391k+Output is not escaped
#3714Mobile Contact Bar41943610k+Unsafe printing function
#3715Mollie Forms41145653k+Request data is not unslashed
#3716MouseWheel Smooth Scroll411047100k+Text Domain Mismatch
#3717Multiple Domain41421710k+Output is not escaped
#3718My Favorites4135341k+Output is not escaped
#3719My Wp Brand – Hide menu & Hide Plugin4174502k+Non Singular String Literal Domain
#3720Native Emoji4154375k+Unsafe printing function
#3721Nepali Date Utilities4151151k+date date
#3722Grid Gallery – for Photo Gallery, Image Gallery & Portfolio419741k+Request data is not unslashed
#3723Social Login4181105k+Input is not sanitized
#3724Omnibus — show the lowest price41353710k+Output is not escaped
#3725Live Chat & AI Chatbot – onWebChat413191700error log error log
#3726Optimus – WordPress Image Optimizer41522030k+Unsafe printing function
#3727OSS Aliyun4119404k+Request data is not unslashed
#3728Page Loading Effects4168242k+Output is not escaped
#3729Page & Post Notes4112771k+Non-prefixed global variable
#3730Page Specific Menu Items4178192k+Output is not escaped
#3731Passwordless Login4140241k+Output is not escaped
#3732المنتور فارسی41195440k+Nonce verification recommended
#3733Personalize Login414784500Nonce verification recommended
#3734Phone Button4125203700Non-prefixed global variable
#3735Plugin Activation Tracker4136241k+Text Domain Mismatch
#3736Pods – Custom Content Types and Fields415233100k+Direct Query
#3737Web Accessibility (formally known as Ally) – WCAG Scanning, Guided Fixes, Usability Widget414738500k+Output is not escaped
#3738Post Cloner4125151k+Text Domain Mismatch
#3739Posts 2 Posts41427310k+Non Singular String Literal Domain
#3740Posts Viewed Recently415816700Output is not escaped
#3741Powie's WHOIS Domain Check413811500Unsafe printing function
#3742Preload LCP Image41110314k+Unsafe printing function
#3743Prevent Landscape Rotation4131271k+Output is not escaped
#3744Product Expiry for WooCommerce4131852k+Request data is not unslashed
#3745Simple Product Options for WooCommerce4162413k+Output is not escaped
#3746Product Questions & Answers for WooCommerce418195400Output is not escaped
#3747Variation Swatches for WooCommerce41291269k+Missing nonce verification
#3748Recurring PayPal Donations414847800Text Domain Mismatch
#3749wpSUBpages Redirect412427600Output is not escaped
#3750Responsive Lightbox41681010k+Output is not escaped