WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4201 | WP Login Form | 48 | 14 | 20 | 7k+ | Request data is not unslashed | ||
| #4202 | WP Remote Users Sync | 48 | 355 | 117 | 6k+ | Text Domain Mismatch | ||
| #4203 | WS Action Scheduler Cleaner | 48 | 13 | 80 | 2k+ | error log error log | ||
| #4204 | Advanced Automatic Updates | 49 | 26 | 25 | 20k+ | Nonce verification recommended | ||
| #4205 | Batcache | 49 | 12 | 53 | 700 | Input is not sanitized | ||
| #4206 | SiteEase Bulk Delete Manager | 49 | 50 | 72 | 900 | Direct Query | ||
| #4207 | Analytics by BestWebSoft – Google Analytics Dashboard and Statistic Plugin for WordPress | 49 | 478 | 176 | 1k+ | Text Domain Mismatch | ||
| #4208 | Gallery Carousel Without JetPack | 49 | 56 | 35 | 4k+ | Text Domain Mismatch | ||
| #4209 | Category Posts in Custom Menu | 49 | 19 | 18 | 2k+ | Output is not escaped | ||
| #4210 | Successful Redirection for Contact Form | 49 | 33 | 20 | 10k+ | Text Domain Mismatch | ||
| #4211 | CryptAPI Payment Gateway for WooCommerce | 49 | 185 | 23 | 400 | Text Domain Mismatch | ||
| #4212 | Dashboard quick links widget | 49 | 22 | 16 | 700 | Output is not escaped | ||
| #4213 | Download Media Library | 49 | 22 | 40 | 1k+ | Text Domain Mismatch | ||
| #4214 | Drag and Drop Multiple File Upload for WooCommerce | 49 | 114 | 29 | 5k+ | Text Domain Mismatch | ||
| #4215 | GDPR Tools: comment ip removement | 49 | 18 | 13 | 2k+ | Unsafe printing function | ||
| #4216 | Easy Google AdSense | 49 | 19 | 12 | 5k+ | Output is not escaped | ||
| #4217 | Easy Media Download | 49 | 20 | 15 | 9k+ | Output is not escaped | ||
| #4218 | Easy Property Listings | 49 | 60 | 66 | 5k+ | wp function not compatible with requires wp | ||
| #4219 | Anti-Spam Protection – No API Key, GDPR Friendly | 49 | 2 | 106 | 1k+ | Direct Query | ||
| #4220 | GamiPress – Multimedia Content | 49 | 11 | 25 | 500 | Nonce verification recommended | ||
| #4221 | Ecommerce Fabrick | 49 | 4 | 135 | 1k+ | Nonce verification recommended | ||
| #4222 | Tag Pilot FREE – Google Tag Manager Integration for WooCommerce | 49 | 33 | 19 | 1k+ | Output is not escaped | ||
| #4223 | HT Feed | 49 | 76 | 11 | 700 | Output is not escaped | ||
| #4224 | Add LinkedIn Insight Tag for LinkedIn Ads | 49 | 126 | 23 | 5k+ | Non Singular String Literal Domain | ||
| #4225 | Logo Carousel Slider | 49 | 102 | 14 | 6k+ | Non Singular String Literal Domain | ||
| #4226 | Plugins Last Updated Column | 49 | 21 | 14 | 700 | Output is not escaped | ||
| #4227 | Post/Page Specific Custom Code | 49 | 21 | 14 | 7k+ | Output is not escaped | ||
| #4228 | Read Meter – Reading Time & Progress Bar | 49 | 39 | 50 | 10k+ | Request data is not unslashed | ||
| #4229 | ReCrawler | 49 | 10 | 40 | 4k+ | Direct Query | ||
| #4230 | Registered Users Only | 49 | 14 | 14 | 2k+ | Unsafe printing function | ||
| #4231 | Simple MyISAM to InnoDB | 49 | 11 | 22 | 1k+ | Output is not escaped | ||
| #4232 | Simple Post Expiration | 49 | 47 | 10 | 400 | Text Domain Mismatch | ||
| #4233 | Songkick Concerts and Festivals | 49 | 9 | 48 | 500 | Input is not sanitized | ||
| #4234 | SpinupWP | 49 | 43 | 38 | 30k+ | Non-prefixed function | ||
| #4235 | Taxonomy Images | 49 | 38 | 50 | 9k+ | Output is not escaped | ||
| #4236 | UiCore Animate – Free Animations, Transitions, and Interactions Addon for Elementor & Gutenberg blocks | 49 | 34 | 38 | 40k+ | Missing direct file access protection | ||
| #4237 | Users by Date Registered | 49 | 13 | 20 | 1k+ | Nonce verification recommended | ||
| #4238 | Was This Helpful? | 49 | 19 | 28 | 1k+ | Output is not escaped | ||
| #4239 | PDF Invoices & Packing Slips for WooCommerce – Challan | 49 | 56 | 151 | 4k+ | Non-prefixed global variable | ||
| #4240 | WooBuilder | 49 | 20 | 17 | 700 | Output is not escaped | ||
| #4241 | WP Post Disclaimer | 49 | 34 | 27 | 800 | Output is not escaped | ||
| #4242 | WP Sitemap Page | 49 | 43 | 14 | 200k+ | Missing Translators Comment | ||
| #4243 | WP Smart Import : Import any XML File to WordPress | 49 | 28 | 302 | 1k+ | Non-prefixed global variable | ||
| #4244 | WP User Groups | 49 | 44 | 32 | 600 | Missing Translators Comment | ||
| #4245 | Aspexi Social Media Sidebox | 50 | 175 | 12 | 700 | Text Domain Mismatch | ||
| #4246 | Auto Ping Booster Free | 50 | 18 | 21 | 900 | Setting is missing a sanitization callback | ||
| #4247 | Booster for WPForms | 50 | 79 | 45 | 700 | Text Domain Mismatch | ||
| #4248 | BuddyPress Groups Extras | 50 | 30 | 51 | 400 | Missing direct file access protection | ||
| #4249 | Category AJAX Filter — Advanced Filter for Posts & Custom Post Types | 50 | 2 | 435 | 6k+ | Non-prefixed global variable | ||
| #4250 | Page Builder Gutenberg Blocks – CoBlocks | 50 | 167 | 36 | 300k+ | block api version too low |