WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4251Customize Tawk.to Widget502128500Request data is not unslashed
#4252Dashboard To-Do List502181k+Unsafe printing function
#4253Event Organiser CSV502827600Output is not escaped
#4254Block IPs for Gravity Forms508361k+Request data is not unslashed
#4255Headline Analyzer5013311k+Nonce verification recommended
#4256HT Slider For Elementor508844020k+Text Domain Mismatch
#4257IMGspider – 图片采集抓取插件5012492k+Missing nonce verification
#4258Custom Block Builder – Lazy Blocks50235120k+Non-prefixed hook name
#4259Mailster Gravity Forms504632800Text Domain Mismatch
#4260MB Custom Post Types & Custom Taxonomies50615510k+Missing Translators Comment
#4261Pago por Redsys504459700Text Domain Mismatch
#4262Product Open Pricing (Name Your Price) for WooCommerce50105376k+Text Domain Mismatch
#4263📷 Simple QR Code Generator Widget502114400Output is not escaped
#4264Razorpay Payment Links for WooCommerce5016341k+Nonce verification recommended
#4265Section Widget502435500Nonce verification recommended
#4266Server Info – System Health & Diagnostics Suite5015463k+Input is not sanitized
#4267Simple User Listing502756900Non-prefixed global variable
#4268Sözleşmeler506361k+Input is not sanitized
#4269BestWebSoft's Twitter50477174900Text Domain Mismatch
#4270User Activity Tracking and Log50302633k+Non-prefixed global variable
#4271Veeqo for WooCommerce503017700Missing direct file access protection
#4272WRC Pricing Tables – Responsive CSS3 Pricing Tables505962k+Missing nonce verification
#4273Cart Popup for WooCommerce5191159k+Non-prefixed global variable
#4274Address Geocoder511218500Output is not escaped
#4275Adjust Admin Categories51301210k+Output is not escaped
#4276Aspexi Social Media Slider51177152k+Text Domain Mismatch
#4277AVIF Uploader5149444k+Missing Arg Domain
#4278Feeds for TikTok – Display Video Feeds in Grid Layouts5118591k+Request data is not unslashed
#4279Booqable Rental Plugin5181181k+wp function not compatible with requires wp
#4280Bootstrap Modals514381k+Output is not escaped
#4281WPML Multilingual for BuddyPress and BuddyBoss5118216k+SQL query is not prepared
#4282CloudFilt Bot & Spam Protection511122600Output is not escaped
#4283Custom Post Type UI5116401m+Non-prefixed hook name
#4284Dynamic Pricing and Discount Rules5124651k+Non Singular String Literal Text
#4285Dolyame Payment gateway5112210700Text Domain Mismatch
#4286Easy Search Replace – Find & Replace Text/HTML/URLs, Remove Footer Credit51661500Input is not sanitized
#4287Gravatar Enhanced – Avatars, Profiles, and Privacy513848100k+Dynamic hook name
#4288Gravity Forms No CAPTCHA reCAPTCHA51301710k+Text Domain Mismatch
#4289Gutenverse – WordPress Blocks, Page Builder & Site Editor51174720k+Non-prefixed hook name
#4290Hide Admin Bar51351720k+Unsafe printing function
#4291Interactive Globes – 3D World Maps5124104400Non-prefixed global variable
#4292Juicer.io: Effortlessly embed, curate, and aggregate social media feeds into your website5144349k+Output is not escaped
#4293KIA Subtitle5121197k+Non-prefixed global variable
#4294Menu Icons by Themeisle – Add Icons to Navigation Menus513422100k+Output is not escaped
#4295Mintpay511435600Nonce verification recommended
#4296OnSale Page for WooCommerce5130442k+Text Domain Mismatch
#4297POLi Payments for WooCommerce516226500Text Domain Mismatch
#4298Quotes and Tips by BestWebSoft514851901k+Text Domain Mismatch
#4299Security-Protection51532400Missing nonce verification
#4300SePay Gateway5112391k+Nonce verification recommended