WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3701 | Insert JavaScript and CSS | 41 | 64 | 19 | 400 | Text Domain Mismatch | ||
| #3702 | Multiple Themes | 41 | 112 | 41 | 10k+ | Output is not escaped | ||
| #3703 | Social Sharing Plugin – Kiwi | 41 | 23 | 80 | 4k+ | Non-prefixed global variable | ||
| #3704 | Central Color Palette | 41 | 73 | 33 | 10k+ | Output is not escaped | ||
| #3705 | Lazy Load Optimizer | 41 | 63 | 26 | 3k+ | Unsafe printing function | ||
| #3706 | LH Agree to Terms | 41 | 59 | 32 | 800 | Output is not escaped | ||
| #3707 | Lockdown WP Admin | 41 | 20 | 50 | 10k+ | Request data is not unslashed | ||
| #3708 | Log cleaner for Solid Security | 41 | 65 | 47 | 8k+ | Text Domain Mismatch | ||
| #3709 | Magic Liquidizer Responsive Table | 41 | 114 | 38 | 6k+ | Text Domain Mismatch | ||
| #3710 | MaxLimits – Increase Maximum Upload, Post & PHP Limits | 41 | 99 | 16 | 2k+ | Unsafe printing function | ||
| #3711 | MaxSlider | 41 | 21 | 45 | 7k+ | Output is not escaped | ||
| #3712 | Media Grid | 41 | 42 | 44 | 2k+ | Missing Arg Domain | ||
| #3713 | Mihdan: Yandex Turbo Feed | 41 | 65 | 39 | 1k+ | Output is not escaped | ||
| #3714 | Mobile Contact Bar | 41 | 94 | 36 | 10k+ | Unsafe printing function | ||
| #3715 | Mollie Forms | 41 | 14 | 565 | 3k+ | Request data is not unslashed | ||
| #3716 | MouseWheel Smooth Scroll | 41 | 104 | 7 | 100k+ | Text Domain Mismatch | ||
| #3717 | Multiple Domain | 41 | 42 | 17 | 10k+ | Output is not escaped | ||
| #3718 | My Favorites | 41 | 35 | 34 | 1k+ | Output is not escaped | ||
| #3719 | My Wp Brand – Hide menu & Hide Plugin | 41 | 74 | 50 | 2k+ | Non Singular String Literal Domain | ||
| #3720 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe printing function | ||
| #3721 | Nepali Date Utilities | 41 | 51 | 15 | 1k+ | date date | ||
| #3722 | Grid Gallery – for Photo Gallery, Image Gallery & Portfolio | 41 | 9 | 74 | 1k+ | Request data is not unslashed | ||
| #3723 | Social Login | 41 | 8 | 110 | 5k+ | Input is not sanitized | ||
| #3724 | Omnibus — show the lowest price | 41 | 35 | 37 | 10k+ | Output is not escaped | ||
| #3725 | Live Chat & AI Chatbot – onWebChat | 41 | 31 | 91 | 700 | error log error log | ||
| #3726 | Optimus – WordPress Image Optimizer | 41 | 52 | 20 | 30k+ | Unsafe printing function | ||
| #3727 | OSS Aliyun | 41 | 19 | 40 | 4k+ | Request data is not unslashed | ||
| #3728 | Page Loading Effects | 41 | 68 | 24 | 2k+ | Output is not escaped | ||
| #3729 | Page & Post Notes | 41 | 12 | 77 | 1k+ | Non-prefixed global variable | ||
| #3730 | Page Specific Menu Items | 41 | 78 | 19 | 2k+ | Output is not escaped | ||
| #3731 | Passwordless Login | 41 | 40 | 24 | 1k+ | Output is not escaped | ||
| #3732 | المنتور فارسی | 41 | 19 | 54 | 40k+ | Nonce verification recommended | ||
| #3733 | Personalize Login | 41 | 47 | 84 | 500 | Nonce verification recommended | ||
| #3734 | Phone Button | 41 | 25 | 203 | 700 | Non-prefixed global variable | ||
| #3735 | Plugin Activation Tracker | 41 | 36 | 24 | 1k+ | Text Domain Mismatch | ||
| #3736 | Pods – Custom Content Types and Fields | 41 | 5 | 233 | 100k+ | Direct Query | ||
| #3737 | Web Accessibility (formally known as Ally) – WCAG Scanning, Guided Fixes, Usability Widget | 41 | 47 | 38 | 500k+ | Output is not escaped | ||
| #3738 | Post Cloner | 41 | 25 | 15 | 1k+ | Text Domain Mismatch | ||
| #3739 | Posts 2 Posts | 41 | 42 | 73 | 10k+ | Non Singular String Literal Domain | ||
| #3740 | Posts Viewed Recently | 41 | 58 | 16 | 700 | Output is not escaped | ||
| #3741 | Powie's WHOIS Domain Check | 41 | 38 | 11 | 500 | Unsafe printing function | ||
| #3742 | Preload LCP Image | 41 | 110 | 31 | 4k+ | Unsafe printing function | ||
| #3743 | Prevent Landscape Rotation | 41 | 31 | 27 | 1k+ | Output is not escaped | ||
| #3744 | Product Expiry for WooCommerce | 41 | 31 | 85 | 2k+ | Request data is not unslashed | ||
| #3745 | Simple Product Options for WooCommerce | 41 | 62 | 41 | 3k+ | Output is not escaped | ||
| #3746 | Product Questions & Answers for WooCommerce | 41 | 81 | 95 | 400 | Output is not escaped | ||
| #3747 | Variation Swatches for WooCommerce | 41 | 29 | 126 | 9k+ | Missing nonce verification | ||
| #3748 | Recurring PayPal Donations | 41 | 48 | 47 | 800 | Text Domain Mismatch | ||
| #3749 | wpSUBpages Redirect | 41 | 24 | 27 | 600 | Output is not escaped | ||
| #3750 | Responsive Lightbox | 41 | 68 | 10 | 10k+ | Output is not escaped |