WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4201WP Login Form4814207k+Request data is not unslashed
#4202WP Remote Users Sync483551176k+Text Domain Mismatch
#4203WS Action Scheduler Cleaner4813802k+error log error log
#4204Advanced Automatic Updates49262520k+Nonce verification recommended
#4205Batcache491253700Input is not sanitized
#4206SiteEase Bulk Delete Manager495072900Direct Query
#4207Analytics by BestWebSoft – Google Analytics Dashboard and Statistic Plugin for WordPress494781761k+Text Domain Mismatch
#4208Gallery Carousel Without JetPack4956354k+Text Domain Mismatch
#4209Category Posts in Custom Menu4919182k+Output is not escaped
#4210Successful Redirection for Contact Form49332010k+Text Domain Mismatch
#4211CryptAPI Payment Gateway for WooCommerce4918523400Text Domain Mismatch
#4212Dashboard quick links widget492216700Output is not escaped
#4213Download Media Library4922401k+Text Domain Mismatch
#4214Drag and Drop Multiple File Upload for WooCommerce49114295k+Text Domain Mismatch
#4215GDPR Tools: comment ip removement4918132k+Unsafe printing function
#4216Easy Google AdSense4919125k+Output is not escaped
#4217Easy Media Download4920159k+Output is not escaped
#4218Easy Property Listings4960665k+wp function not compatible with requires wp
#4219Anti-Spam Protection – No API Key, GDPR Friendly4921061k+Direct Query
#4220GamiPress – Multimedia Content491125500Nonce verification recommended
#4221Ecommerce Fabrick4941351k+Nonce verification recommended
#4222Tag Pilot FREE – Google Tag Manager Integration for WooCommerce4933191k+Output is not escaped
#4223HT Feed497611700Output is not escaped
#4224Add LinkedIn Insight Tag for LinkedIn Ads49126235k+Non Singular String Literal Domain
#4225Logo Carousel Slider49102146k+Non Singular String Literal Domain
#4226Plugins Last Updated Column492114700Output is not escaped
#4227Post/Page Specific Custom Code4921147k+Output is not escaped
#4228Read Meter – Reading Time & Progress Bar49395010k+Request data is not unslashed
#4229ReCrawler4910404k+Direct Query
#4230Registered Users Only4914142k+Unsafe printing function
#4231Simple MyISAM to InnoDB4911221k+Output is not escaped
#4232Simple Post Expiration494710400Text Domain Mismatch
#4233Songkick Concerts and Festivals49948500Input is not sanitized
#4234SpinupWP49433830k+Non-prefixed function
#4235Taxonomy Images4938509k+Output is not escaped
#4236UiCore Animate – Free Animations, Transitions, and Interactions Addon for Elementor & Gutenberg blocks49343840k+Missing direct file access protection
#4237Users by Date Registered4913201k+Nonce verification recommended
#4238Was This Helpful?4919281k+Output is not escaped
#4239PDF Invoices & Packing Slips for WooCommerce – Challan49561514k+Non-prefixed global variable
#4240WooBuilder492017700Output is not escaped
#4241WP Post Disclaimer493427800Output is not escaped
#4242WP Sitemap Page494314200k+Missing Translators Comment
#4243WP Smart Import : Import any XML File to WordPress49283021k+Non-prefixed global variable
#4244WP User Groups494432600Missing Translators Comment
#4245Aspexi Social Media Sidebox5017512700Text Domain Mismatch
#4246Auto Ping Booster Free501821900Setting is missing a sanitization callback
#4247Booster for WPForms507945700Text Domain Mismatch
#4248BuddyPress Groups Extras503051400Missing direct file access protection
#4249Category AJAX Filter — Advanced Filter for Posts & Custom Post Types5024356k+Non-prefixed global variable
#4250Page Builder Gutenberg Blocks – CoBlocks5016736300k+block api version too low