WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3851Dashboard Sticky Notes4220172k+Missing nonce verification
#3852Delete Expired Transients4249655k+Direct Query
#3853Disable Comments424419100k+Unsafe printing function
#3854Disable User Login4225195k+Unsafe printing function
#3855Simple HTML Sitemap4242201k+Text Domain Mismatch
#3856Storefront Online Ordering by DoorDash427610600Output is not escaped
#3857Duplicate Page or Post42122119k+Text Domain Mismatch
#3858Easy Demo Import for Omega Themes423341400Output is not escaped
#3859Easy Video Player42202020k+Output is not escaped
#3860Embedly4217382k+Output is not escaped
#3861Enable Classic Editor & Widgets4210662k+Non Singular String Literal Domain
#3862Etsy Shop4258213k+Unsafe printing function
#3863Exclude Pages42311420k+Non Singular String Literal Domain
#3864FCM Push Notification from WP424316500Non Singular String Literal Domain
#3865File Media Renamer4216422k+Input is not sanitized
#3866First payment date for WooCommerce Subscriptions424219400Output is not escaped
#3867Flexible Editor Panel for Elementor421544220k+Text Domain Mismatch
#3868FooTable428671k+Output is not escaped
#3869FormCraft – Form Builder421861562k+Text Domain Mismatch
#3870Lock Down Admin4230203k+Unsafe printing function
#3871Fusion Page Builder : Extension – Gallery422930600Output is not escaped
#3872GA Google Analytics – Connect Google Analytics to WordPress424630400k+Output is not escaped
#3873Hide Cart Functions4212503k+Nonce verification recommended
#3874Hide Featured Image42261210k+Unsafe printing function
#3875HTML Editor Syntax Highlighter42302150k+Output is not escaped
#3876Image Uploader for Welcart4227243k+Output is not escaped
#3877WP All Import – Import SEO Settings for Rank Math SEO4218447k+Nonce verification recommended
#3878iOS images fixer4222426k+Nonce verification recommended
#3879iyzico for WooCommerce42345410k+Unsafe printing function
#3880Lazy Social Comments4273101k+Unsafe printing function
#3881LeadSnap4214841k+Input is not validated
#3882LH Page Links To422538500Output is not escaped
#3883Image and Video Lightbox, Image PopUp4253151k+Output is not escaped
#3884LIQUID BLOCKS – Slider, Carousel, Accordion4250314k+Unsafe printing function
#3885Login No Captcha reCAPTCHA42452460k+Unsafe printing function
#3886Mailster Cool Captcha426528400Text Domain Mismatch
#3887Manage User Columns4215271k+Request data is not unslashed
#3888Mass Delete Unused Tags42219800Output is not escaped
#3889Message Popup For Contact Form 74230811k+Missing nonce verification
#3890Mobile CSS42597500Output is not escaped
#3891My Upload Images427448400Unsafe printing function
#3892Nav Menu Collapse4217393k+Missing nonce verification
#3893NS Remove Related Products for WooCommerce4295433k+Output is not escaped
#3894OG Tags42131342k+Non Singular String Literal Domain
#3895OnPay.io for WooCommerce42238371k+Text Domain Mismatch
#3896PageMenu4216291k+Missing nonce verification
#3897PAYDUNYA WOOCOMMERCE PAR425432600Text Domain Mismatch
#3898PDF Thumbnail Generator4226162k+Output is not escaped
#3899Polylang Theme Strings42119306k+Output is not escaped
#3900Post Types Order424543600k+wp function not compatible with requires wp