WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3751Revision Control41602840k+Output is not escaped
#3752Revisionize4154244k+Output is not escaped
#3753RY Tools for WooCommerce4123275k+Non-prefixed class
#3754Send link to friend418147400Output is not escaped
#3755Service Box41150230400Missing nonce verification
#3756Service Showcase4141597800Non-prefixed global variable
#3757Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More414361100k+Request data is not unslashed
#3758Simple Cache4133591k+Input is not sanitized
#3759Simple CPT41280604k+Unsafe printing function
#3760Simple Like Page – Fast & Privacy-Friendly Page Embeds411453110k+Output is not escaped
#3761IP Ban4129392k+Input is not validated
#3762Simple Lightbox412148100k+Nonce verification recommended
#3763Simple Page Access Restriction4166516k+Unsafe printing function
#3764Simple Revision Control4134431k+Dynamic hook name
#3765Smart User Slug Hider4185123k+Output is not escaped
#3766Smoove connector for Elementor forms412260600Nonce verification recommended
#3767SnapScan Payment Gateway413330700Output is not escaped
#3768Masonry Widget415811500Output is not escaped
#3769Solid Post Likes412563500Direct Query
#3770SQL Chart Builder413852600Text Domain Mismatch
#3771Squeeze – Image Optimization & Compression, WEBP Conversion4120702k+Nonce verification recommended
#3772Sticky Posts – Switch418456k+Output is not escaped
#3773Super Testimonial – Testimonial & Customer Review Slider Plugin for WordPress41271682k+Request data is not unslashed
#3774tarteaucitron.io41449210k+Output is not escaped
#3775Taxonomy Converter415424600Output is not escaped
#3776Taxonomy Filter4114340800Output is not escaped
#3777Text Hover4144131k+Output is not escaped
#3778Text Replace4155123k+Output is not escaped
#3779Theme Blvd Importer412558500Missing nonce verification
#3780Theme Duplicator411431400Nonce verification recommended
#3781Threat Scan Plugin412917400Output is not escaped
#3782Advanced Editor Tools41143841m+Unsafe printing function
#3783TW Pagination4190231k+Non Singular String Literal Domain
#3784Unbloater4157185k+Output is not escaped
#3785Usersnap413717500Output is not escaped
#3786Visibility Logic for Elementor41274330k+Output is not escaped
#3787fancyBox 3 for WordPress4172111k+Output is not escaped
#3788Waka Bulk Page4152161k+Unsafe printing function
#3789WaveSurfer-WP418322400Unsafe printing function
#3790Abandoned Cart Recovery for WooCommerce41202024k+Request data is not unslashed
#3791Checkout Field Editor (Checkout Manager) for WooCommerce41988400k+Nonce verification recommended
#3792Advanced Custom Stock Status4184339k+Output is not escaped
#3793Top Image SEO41115265k+Unsafe printing function
#3794M-Pesa(Kenya) Checkout for Woocommerce4146381k+Text Domain Mismatch
#3795Country Based Restrictions for WooCommerce4127675k+Request data is not unslashed
#3796Quick View For WooCommerce4144441k+Output is not escaped
#3797WooCommerce Colors41632810k+Output is not escaped
#3798Pay for Payment for WooCommerce41296710k+Missing nonce verification
#3799Spam Protect for Contact Form 741166110k+Request data is not unslashed
#3800WP Crontrol412091300k+Nonce verification recommended