WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4151 | Simple Custom Post Order | 47 | 9 | 76 | 300k+ | Direct Query | ||
| #4152 | SportsPress for Baseball | 47 | 113 | 34 | 900 | Text Domain Mismatch | ||
| #4153 | Tabby Checkout | 47 | 33 | 46 | 4k+ | Non-prefixed class | ||
| #4154 | The Tribal Plugin | 47 | 43 | 62 | 700 | Non-prefixed function | ||
| #4155 | Userback | 47 | 13 | 20 | 2k+ | Output is not escaped | ||
| #4156 | Simple Client Dashboard | 47 | 38 | 36 | 2k+ | Missing direct file access protection | ||
| #4157 | Website Article Monetization By MageNet | 47 | 17 | 24 | 10k+ | Output is not escaped | ||
| #4158 | WP Custom Author URL | 47 | 16 | 38 | 5k+ | Non-prefixed global variable | ||
| #4159 | 3CX Free Live Chat, Calls & Messaging | 47 | 24 | 16 | 100k+ | Output is not escaped | ||
| #4160 | WP PHP Console | 47 | 18 | 24 | 500 | Output is not escaped | ||
| #4161 | WP Prefix Changer | 47 | 27 | 16 | 900 | Missing Arg Domain | ||
| #4162 | QuadLayers TikTok Feed | 47 | 78 | 52 | 7k+ | Text Domain Mismatch | ||
| #4163 | Post Status Notifications | 47 | 98 | 41 | 1k+ | Text Domain Mismatch | ||
| #4164 | Compress, Resize & Lazy Load Images – WPvivid Image Optimization | 47 | 107 | 58 | 10k+ | Missing direct file access protection | ||
| #4165 | Add-on WooCommerce – MailPoet 3 | 48 | 30 | 21 | 600 | Output is not escaped | ||
| #4166 | Add Polylang support for Customizer | 48 | 18 | 20 | 2k+ | Nonce verification recommended | ||
| #4167 | Ansar Import – One Click Starter Sites – for Elementor & Themes | 48 | 27 | 116 | 10k+ | Non-prefixed global variable | ||
| #4168 | AnWP Post Grid and Post Carousel Slider for Elementor | 48 | 758 | 171 | 20k+ | Text Domain Mismatch | ||
| #4169 | Better Block Patterns | 48 | 77 | 11 | 1k+ | Missing direct file access protection | ||
| #4170 | BP Simple Private | 48 | 19 | 12 | 500 | Output is not escaped | ||
| #4171 | Comment Notifier | 48 | 10 | 55 | 400 | Non-prefixed global variable | ||
| #4172 | Convertful – Your Ultimate On-Site Conversion Tool | 48 | 15 | 34 | 3k+ | wp function not compatible with requires wp | ||
| #4173 | CookieFox – Cookie Notice | 48 | 14 | 19 | 400 | Output is not escaped | ||
| #4174 | Current Menu Item for Custom Post Types | 48 | 18 | 30 | 2k+ | Non-prefixed global variable | ||
| #4175 | Custom Background Extended | 48 | 13 | 23 | 800 | Input is not validated | ||
| #4176 | Custom Header Extended | 48 | 19 | 11 | 1k+ | Unsafe printing function | ||
| #4177 | Custom Related Products for WooCommerce | 48 | 25 | 10 | 5k+ | Text Domain Mismatch | ||
| #4178 | Easy Share Solution For WordPress | 48 | 15 | 33 | 900 | Output is not escaped | ||
| #4179 | Filter Page by Template | 48 | 17 | 20 | 2k+ | Nonce verification recommended | ||
| #4180 | Fixed And Sticky Header | 48 | 31 | 7 | 1k+ | Output is not escaped | ||
| #4181 | Hotline Phone Ring | 48 | 16 | 15 | 8k+ | Output is not escaped | ||
| #4182 | JW Player for WordPress | 48 | 288 | 78 | 1k+ | Text Domain Mismatch | ||
| #4183 | Library Bookshelves | 48 | 12 | 59 | 500 | Nonce verification recommended | ||
| #4184 | Mailster Live | 48 | 22 | 37 | 600 | Missing Translators Comment | ||
| #4185 | MWW Disclaimer Buttons | 48 | 21 | 16 | 400 | Output is not escaped | ||
| #4186 | Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms | 48 | 34 | 14 | 800 | Non Singular String Literal Domain | ||
| #4187 | Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | 48 | 63 | 273 | 100k+ | Non-prefixed global variable | ||
| #4188 | Raw HTML Snippets | 48 | 14 | 36 | 2k+ | Input is not sanitized | ||
| #4189 | External Links | 48 | 42 | 13 | 9k+ | Output is not escaped | ||
| #4190 | Simple Regenerate Slug | 48 | 18 | 6 | 400 | Unsafe printing function | ||
| #4191 | Easy Updates Manager | 48 | 13 | 182 | 300k+ | Non-prefixed global variable | ||
| #4192 | Tako Movable Comments | 48 | 18 | 39 | 1k+ | Input is not sanitized | ||
| #4193 | Taxonomy Switcher | 48 | 22 | 36 | 2k+ | Nonce verification recommended | ||
| #4194 | ThemeFarmer Companion | 48 | 54 | 51 | 2k+ | Missing Version | ||
| #4195 | Trust Payments Gateway for WooCommerce | 48 | 35 | 29 | 400 | Missing Translators Comment | ||
| #4196 | Visual Website Optimizer | 48 | 86 | 4 | 5k+ | wp function not compatible with requires wp | ||
| #4197 | Whitelist IP For Limit Login Attempts | 48 | 18 | 12 | 500 | Output is not escaped | ||
| #4198 | Conditional Display for Mobile – Mobile Detect Plugin | 48 | 4 | 112 | 2k+ | Input is not sanitized | ||
| #4199 | Flutterwave Payment Gateway for WooCommerce | 48 | 14 | 22 | 2k+ | Output is not escaped | ||
| #4200 | WP Attachment Export | 48 | 16 | 25 | 600 | Input is not sanitized |