WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4151Simple Custom Post Order47976300k+Direct Query
#4152SportsPress for Baseball4711334900Text Domain Mismatch
#4153Tabby Checkout4733464k+Non-prefixed class
#4154The Tribal Plugin474362700Non-prefixed function
#4155Userback4713202k+Output is not escaped
#4156Simple Client Dashboard4738362k+Missing direct file access protection
#4157Website Article Monetization By MageNet47172410k+Output is not escaped
#4158WP Custom Author URL4716385k+Non-prefixed global variable
#41593CX Free Live Chat, Calls & Messaging472416100k+Output is not escaped
#4160WP PHP Console471824500Output is not escaped
#4161WP Prefix Changer472716900Missing Arg Domain
#4162QuadLayers TikTok Feed4778527k+Text Domain Mismatch
#4163Post Status Notifications4798411k+Text Domain Mismatch
#4164Compress, Resize & Lazy Load Images – WPvivid Image Optimization471075810k+Missing direct file access protection
#4165Add-on WooCommerce – MailPoet 3483021600Output is not escaped
#4166Add Polylang support for Customizer4818202k+Nonce verification recommended
#4167Ansar Import – One Click Starter Sites – for Elementor & Themes482711610k+Non-prefixed global variable
#4168AnWP Post Grid and Post Carousel Slider for Elementor4875817120k+Text Domain Mismatch
#4169Better Block Patterns4877111k+Missing direct file access protection
#4170BP Simple Private481912500Output is not escaped
#4171Comment Notifier481055400Non-prefixed global variable
#4172Convertful – Your Ultimate On-Site Conversion Tool4815343k+wp function not compatible with requires wp
#4173CookieFox – Cookie Notice481419400Output is not escaped
#4174Current Menu Item for Custom Post Types4818302k+Non-prefixed global variable
#4175Custom Background Extended481323800Input is not validated
#4176Custom Header Extended4819111k+Unsafe printing function
#4177Custom Related Products for WooCommerce4825105k+Text Domain Mismatch
#4178Easy Share Solution For WordPress481533900Output is not escaped
#4179Filter Page by Template4817202k+Nonce verification recommended
#4180Fixed And Sticky Header483171k+Output is not escaped
#4181Hotline Phone Ring4816158k+Output is not escaped
#4182JW Player for WordPress48288781k+Text Domain Mismatch
#4183Library Bookshelves481259500Nonce verification recommended
#4184Mailster Live482237600Missing Translators Comment
#4185MWW Disclaimer Buttons482116400Output is not escaped
#4186Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms483414800Non Singular String Literal Domain
#4187Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories4863273100k+Non-prefixed global variable
#4188Raw HTML Snippets4814362k+Input is not sanitized
#4189External Links4842139k+Output is not escaped
#4190Simple Regenerate Slug48186400Unsafe printing function
#4191Easy Updates Manager4813182300k+Non-prefixed global variable
#4192Tako Movable Comments4818391k+Input is not sanitized
#4193Taxonomy Switcher4822362k+Nonce verification recommended
#4194ThemeFarmer Companion4854512k+Missing Version
#4195Trust Payments Gateway for WooCommerce483529400Missing Translators Comment
#4196Visual Website Optimizer488645k+wp function not compatible with requires wp
#4197Whitelist IP For Limit Login Attempts481812500Output is not escaped
#4198Conditional Display for Mobile – Mobile Detect Plugin4841122k+Input is not sanitized
#4199Flutterwave Payment Gateway for WooCommerce4814222k+Output is not escaped
#4200WP Attachment Export481625600Input is not sanitized