WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4451reCAPTCHA for Ninja Forms56219600Output is not escaped
#4452Maya Business Plugin56939600Input is not validated
#4453Pluginception567294k+Request data is not unslashed
#4454Replace Protected Password56618600Input is not sanitized
#4455Seed Social563676k+Output is not escaped
#4456Image Optimization For SEO56116693k+Non Singular String Literal Domain
#4457Simple Org Chart561529900Missing Version
#4458TableKit – WordPress Table Builder for Data Tables, WooCommerce Product Tables & Post Tables5680203k+Missing Translators Comment
#4459TextBuilder5620344k+Missing Arg Domain
#4460ThemeinWP Import Companion5617144k+Unsafe printing function
#4461Export & Import WPBakery Page Builder5612209k+Missing nonce verification
#4462easy AMP561024600Input is not sanitized
#4463WP Clean Admin Menu5629112k+Output is not escaped
#4464Cache-Control572641k+Output is not escaped
#4465Change Login Page Logo576981k+Output is not escaped
#4466Cresta Social Share Counter5712132k+Output is not escaped
#4467Delete Pending Comments57161110k+Unsafe printing function
#4468Disable Cart Fragments by Optimocha5781310k+Nonce verification recommended
#4469Easy GDPR Consent Forms – MailChimp577222500Text Domain Mismatch
#4470Live Chat by Formilla – Real-time Chat & Chatbots Plugin5722132k+Missing Arg Domain
#4471APG Google Image Sitemap Feed573633900Non-prefixed global variable
#4472Gravity PDF5711615220k+Non-prefixed global variable
#4473Hide Admin Notices5791620k+Input is not sanitized
#4474iZooto – Web Push Notifications5726251k+wp function not compatible with requires wp
#4475Jquery Validation For Contact Form 75716199k+Missing direct file access protection
#4476JSON API User5717341k+Non-prefixed hook name
#4477Logo Manager For Enamad – لوگوی نماد الکترونیکی5718145k+Output is not escaped
#4478Monri Payments5714147900Text Domain Mismatch
#4479My WordPress Login Logo57283610k+Non-prefixed global variable
#4480Plethora Plugins Tabs + Accordions5744102k+Output is not escaped
#4481Plugin Notes571729400Input is not validated
#4482Protected Posts Logout Button5710201k+Input is not sanitized
#4483Public Post Preview57811100k+Nonce verification recommended
#4484Real-Time Find and Replace57231070k+Output is not escaped
#4485Remove admin menus by role575548k+Input is not validated
#4486Replain57219700Output is not escaped
#4487Search Exclude57734050k+Text Domain Mismatch
#4488Simple CSS57221380k+Missing Version
#4489Site Health Tool Manager571351k+Unsafe printing function
#4490Responsive Slideshow – Photo Carousel571742k+Non-prefixed global variable
#4491Timologia for WooCommerce5775223k+Text Domain Mismatch
#4492Ultimate Member – Terms & Conditions571994k+Output is not escaped
#4493WC Call For Price5719551k+Non-prefixed global variable
#4494Filter Orders by Product for WooCommerce579214k+Nonce verification recommended
#4495WP Adsterra Dashboard572221400wp function not compatible with requires wp
#4496WP Table Builder – Drag & Drop Table Builder57633950k+Not Allowed
#4497WP Wrapper571329600Input is not validated
#4498Zoho Billing – Embed Payment Form572210400Output is not escaped
#4499Admin Page Notes581715700Text Domain Mismatch
#4500Web Accessibility Toolkit – Accessibility Checker & ARIA for WCAG, Section 508 & ADA Compliance58920500Output is not escaped