WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4101Better image sizes4645232k+Text Domain Mismatch
#4102Bullhorn Career Portal WordPress Plugin464671k+Output is not escaped
#4103CDEKDelivery46752k+Nonce verification recommended
#4104Official CleverReach® Plugin for WooCommerce463798400Non-prefixed global variable
#4105CLP Varnish Cache46155810k+Non-prefixed global variable
#4106CoSchedule4624663k+Nonce verification recommended
#4107DarkMySite – Advanced Dark Mode Plugin for WordPress46221001k+Request data is not unslashed
#4108Delete Multiple Themes463951k+Text Domain Mismatch
#4109Display Featured Image for Genesis4664591k+Non-prefixed global variable
#4110Easy Basic Authentication – Add basic auth to site or admin area461428700Input is not sanitized
#4111Easy Subscribe46132800Direct Query
#4112Enhanced AJAX Add to Cart for WooCommerce469078600Missing Arg Domain
#4113Export Import Menus46232810k+Missing nonce verification
#4114GetAutoSEO AI Tool46102622k+Direct Query
#4115Import Social Events46263553k+Non-prefixed global variable
#4116Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator4613257k+Request data is not unslashed
#4117Material Design Icons for Page Builders46694620k+Missing direct file access protection
#4118N360 | Splash Screen463213500Output is not escaped
#4119Repeater Fields for Gravity Forms46134411k+wp function not compatible with requires wp
#4120Simple Sitemap – Create a Responsive HTML Sitemap46334860k+Non-prefixed hook name
#4121Link in Bio Creator – Social4652362k+Non Singular String Literal Domain
#4122Stars Rating4613341k+Missing nonce verification
#4123StockPack – Stock photos from Unsplash, Adobe Stock and more4635516k+Nonce verification recommended
#4124Updater by BestWebSoft464942192k+Text Domain Mismatch
#4125URL Params4636178k+Text Domain Mismatch
#4126SX User Name Security46429900Output is not escaped
#4127WEN Logo Slider466461k+Non-prefixed global variable
#4128Custom Price Labels for WooCommerce4617221k+Output is not escaped
#4129WP Lightbox 246521830k+Text Domain Mismatch
#4130Widget Disable46191910k+Output is not escaped
#4131WPB Category Slider for WooCommerce – Responsive Product Category Carousel & Enhanced UX4610116700Non Singular String Literal Domain
#4132WP All Import – Import SEO Settings for Yoast SEO46192620k+Nonce verification recommended
#4133Zoho Mail for WordPress46294820k+Request data is not unslashed
#4134AffiliateWP Checkout Referrals474826600Output is not escaped
#4135Avacy CMP47590500Non-prefixed global variable
#4136Verified Member for BuddyPress4720383k+Nonce verification recommended
#4137Better Badge – Custom Product Badges for WooCommerce472247500Non Singular String Literal Domain
#4138Customizer Export/Import471415100k+Unsafe printing function
#4139Delete Duplicate Posts4795010k+Direct Query
#4140DPO Pay for WooCommerce4728411k+Non Singular String Literal Text
#4141Show IDs by Echo4721132k+Output is not escaped
#4142Extended CRM for Users Insights471123400Missing nonce verification
#4143Flying Pages: Preload Pages for Faster Navigation & Improved User Experience47212120k+Missing direct file access protection
#4144FSM Custom Featured Image Caption4726275k+Output is not escaped
#4145G Meta Keywords4731810k+Unsafe printing function
#4146Gateway AqayePardakht for Woocommerce4772234k+Text Domain Mismatch
#4147Groups 404 Redirect4735331k+Non Singular String Literal Domain
#4148Import Users from CSV47331210k+Unsafe printing function
#4149KCSG Kartra Pages473016500Heredoc Output Not Escaped
#4150Product Categories/Tags Bottom Description for WooCommerce4760233k+Text Domain Mismatch