WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4101 | Better image sizes | 46 | 45 | 23 | 2k+ | Text Domain Mismatch | ||
| #4102 | Bullhorn Career Portal WordPress Plugin | 46 | 46 | 7 | 1k+ | Output is not escaped | ||
| #4103 | CDEKDelivery | 46 | 75 | 2k+ | Nonce verification recommended | |||
| #4104 | Official CleverReach® Plugin for WooCommerce | 46 | 37 | 98 | 400 | Non-prefixed global variable | ||
| #4105 | CLP Varnish Cache | 46 | 15 | 58 | 10k+ | Non-prefixed global variable | ||
| #4106 | CoSchedule | 46 | 24 | 66 | 3k+ | Nonce verification recommended | ||
| #4107 | DarkMySite – Advanced Dark Mode Plugin for WordPress | 46 | 22 | 100 | 1k+ | Request data is not unslashed | ||
| #4108 | Delete Multiple Themes | 46 | 39 | 5 | 1k+ | Text Domain Mismatch | ||
| #4109 | Display Featured Image for Genesis | 46 | 64 | 59 | 1k+ | Non-prefixed global variable | ||
| #4110 | Easy Basic Authentication – Add basic auth to site or admin area | 46 | 14 | 28 | 700 | Input is not sanitized | ||
| #4111 | Easy Subscribe | 46 | 132 | 800 | Direct Query | |||
| #4112 | Enhanced AJAX Add to Cart for WooCommerce | 46 | 90 | 78 | 600 | Missing Arg Domain | ||
| #4113 | Export Import Menus | 46 | 23 | 28 | 10k+ | Missing nonce verification | ||
| #4114 | GetAutoSEO AI Tool | 46 | 10 | 262 | 2k+ | Direct Query | ||
| #4115 | Import Social Events | 46 | 26 | 355 | 3k+ | Non-prefixed global variable | ||
| #4116 | Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator | 46 | 13 | 25 | 7k+ | Request data is not unslashed | ||
| #4117 | Material Design Icons for Page Builders | 46 | 69 | 46 | 20k+ | Missing direct file access protection | ||
| #4118 | N360 | Splash Screen | 46 | 32 | 13 | 500 | Output is not escaped | ||
| #4119 | Repeater Fields for Gravity Forms | 46 | 134 | 41 | 1k+ | wp function not compatible with requires wp | ||
| #4120 | Simple Sitemap – Create a Responsive HTML Sitemap | 46 | 33 | 48 | 60k+ | Non-prefixed hook name | ||
| #4121 | Link in Bio Creator – Social | 46 | 52 | 36 | 2k+ | Non Singular String Literal Domain | ||
| #4122 | Stars Rating | 46 | 13 | 34 | 1k+ | Missing nonce verification | ||
| #4123 | StockPack – Stock photos from Unsplash, Adobe Stock and more | 46 | 35 | 51 | 6k+ | Nonce verification recommended | ||
| #4124 | Updater by BestWebSoft | 46 | 494 | 219 | 2k+ | Text Domain Mismatch | ||
| #4125 | URL Params | 46 | 36 | 17 | 8k+ | Text Domain Mismatch | ||
| #4126 | SX User Name Security | 46 | 42 | 9 | 900 | Output is not escaped | ||
| #4127 | WEN Logo Slider | 46 | 6 | 46 | 1k+ | Non-prefixed global variable | ||
| #4128 | Custom Price Labels for WooCommerce | 46 | 17 | 22 | 1k+ | Output is not escaped | ||
| #4129 | WP Lightbox 2 | 46 | 52 | 18 | 30k+ | Text Domain Mismatch | ||
| #4130 | Widget Disable | 46 | 19 | 19 | 10k+ | Output is not escaped | ||
| #4131 | WPB Category Slider for WooCommerce – Responsive Product Category Carousel & Enhanced UX | 46 | 101 | 16 | 700 | Non Singular String Literal Domain | ||
| #4132 | WP All Import – Import SEO Settings for Yoast SEO | 46 | 19 | 26 | 20k+ | Nonce verification recommended | ||
| #4133 | Zoho Mail for WordPress | 46 | 29 | 48 | 20k+ | Request data is not unslashed | ||
| #4134 | AffiliateWP Checkout Referrals | 47 | 48 | 26 | 600 | Output is not escaped | ||
| #4135 | Avacy CMP | 47 | 5 | 90 | 500 | Non-prefixed global variable | ||
| #4136 | Verified Member for BuddyPress | 47 | 20 | 38 | 3k+ | Nonce verification recommended | ||
| #4137 | Better Badge – Custom Product Badges for WooCommerce | 47 | 22 | 47 | 500 | Non Singular String Literal Domain | ||
| #4138 | Customizer Export/Import | 47 | 14 | 15 | 100k+ | Unsafe printing function | ||
| #4139 | Delete Duplicate Posts | 47 | 9 | 50 | 10k+ | Direct Query | ||
| #4140 | DPO Pay for WooCommerce | 47 | 28 | 41 | 1k+ | Non Singular String Literal Text | ||
| #4141 | Show IDs by Echo | 47 | 21 | 13 | 2k+ | Output is not escaped | ||
| #4142 | Extended CRM for Users Insights | 47 | 11 | 23 | 400 | Missing nonce verification | ||
| #4143 | Flying Pages: Preload Pages for Faster Navigation & Improved User Experience | 47 | 21 | 21 | 20k+ | Missing direct file access protection | ||
| #4144 | FSM Custom Featured Image Caption | 47 | 26 | 27 | 5k+ | Output is not escaped | ||
| #4145 | G Meta Keywords | 47 | 31 | 8 | 10k+ | Unsafe printing function | ||
| #4146 | Gateway AqayePardakht for Woocommerce | 47 | 72 | 23 | 4k+ | Text Domain Mismatch | ||
| #4147 | Groups 404 Redirect | 47 | 35 | 33 | 1k+ | Non Singular String Literal Domain | ||
| #4148 | Import Users from CSV | 47 | 33 | 12 | 10k+ | Unsafe printing function | ||
| #4149 | KCSG Kartra Pages | 47 | 30 | 16 | 500 | Heredoc Output Not Escaped | ||
| #4150 | Product Categories/Tags Bottom Description for WooCommerce | 47 | 60 | 23 | 3k+ | Text Domain Mismatch |