WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3801WP Extended Search411593720k+Output is not escaped
#3802Regions for WP Job Manager4129557k+Nonce verification recommended
#3803WP Lorem ipsum413729500Unsafe printing function
#3804WP Media folders4119743k+Direct Query
#3805Pledged Plugins PCI Gateway for NMI and WooCommerce41160422k+Text Domain Mismatch
#3806WP Permalink Translator4134212k+Unsafe printing function
#3807WP Router412913800Exception output is not escaped
#3808WP Test Email41322820k+Unsafe printing function
#3809User Login Notifier for WordPress4172261k+Output is not escaped
#3810WPS Hide Login4134722m+Nonce verification recommended
#3811Export WooCommerce Orders, Products, Customers & Coupons to Google Sheets414535700Output is not escaped
#3812Simple Accessibility Button4133171900Non-prefixed global variable
#3813Z-Credit Checkout – WooCommerce Payment Gateway4115122900Text Domain Mismatch
#3814Zilla Portfolio4113915400Text Domain Mismatch
#3815Pricing Table – Responsive & Easy421171483k+Non-prefixed global variable
#3816ActiveTrail – Contact Form 7421885600Missing nonce verification
#3817Add to Home Screen & Progressive Web App4223681k+Request data is not unslashed
#3818Admin Options Pages423284500Nonce verification recommended
#3819Affiliate Link Tracker422449500Request data is not unslashed
#3820Agoda Affiliate Partners Text Link Generator42440500Interpolated SQL is not prepared
#3821Post Grid Master — Post Grids & AJAX Filters42441151k+Non-prefixed global variable
#3822Open Currency Converter4259191k+Unsafe printing function
#3823Automatic NBSP4224163k+Output is not escaped
#3824AweSplash – Just Splash Page423934400Output is not escaped
#3825多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条4217382k+Input is not sanitized
#3826Basic SEO Pack42868700Output is not escaped
#3827Bazz CallBack widget4255283k+Unsafe printing function
#3828Block Temporary Email423313500Unsafe printing function
#3829Booking.com Official Search Box4236322k+Output is not escaped
#3830BP Auto Group Join425555700Output is not escaped
#3831Bulk Change Media Author4225202k+Unsafe printing function
#3832CCAvenue Payment Gateway for WooCommerce4253403k+Text Domain Mismatch
#3833Custom Spinner for Contact Form 74236111k+Output is not escaped
#3834HTML Template for CF74221271k+Non-prefixed global variable
#3835Change Background Color for Pages, Posts, Widgets42357500Text Domain Mismatch
#3836Chartbeat4233181k+Output is not escaped
#3837Cities Shipping Zones for WooCommerce4294444k+Text Domain Mismatch
#3838Clover Payments for WooCommerce4225152k+Exception output is not escaped
#3839Comment Blacklist Updater4245151k+Output is not escaped
#3840Comment Reply Email422123500Unsafe printing function
#3841Companion Revision Manager – Revision Control4218284k+Unsafe printing function
#3842Contact Form 7 add confirm42315150k+Text Domain Mismatch
#3843Cookie Notify421554400Input is not validated
#3844CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance)4233493k+Output is not escaped
#3845Cronjob Scheduler4220361k+Input is not sanitized
#3846Custom Fields for Gutenberg4224241k+Output is not escaped
#3847Custom Login423611610k+Non-prefixed global variable
#3848Custom Taxonomy Order42205650k+Output is not escaped
#3849CWW connector Lite – Connect Contact Form 7 & ActiveCampaign423921400Output is not escaped
#3850Dashboard Notes422734600Missing Arg Domain