WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4451 | reCAPTCHA for Ninja Forms | 56 | 21 | 9 | 600 | Output is not escaped | ||
| #4452 | Maya Business Plugin | 56 | 9 | 39 | 600 | Input is not validated | ||
| #4453 | Pluginception | 56 | 7 | 29 | 4k+ | Request data is not unslashed | ||
| #4454 | Replace Protected Password | 56 | 6 | 18 | 600 | Input is not sanitized | ||
| #4455 | Seed Social | 56 | 36 | 7 | 6k+ | Output is not escaped | ||
| #4456 | Image Optimization For SEO | 56 | 116 | 69 | 3k+ | Non Singular String Literal Domain | ||
| #4457 | Simple Org Chart | 56 | 15 | 29 | 900 | Missing Version | ||
| #4458 | TableKit – WordPress Table Builder for Data Tables, WooCommerce Product Tables & Post Tables | 56 | 80 | 20 | 3k+ | Missing Translators Comment | ||
| #4459 | TextBuilder | 56 | 20 | 34 | 4k+ | Missing Arg Domain | ||
| #4460 | ThemeinWP Import Companion | 56 | 17 | 14 | 4k+ | Unsafe printing function | ||
| #4461 | Export & Import WPBakery Page Builder | 56 | 12 | 20 | 9k+ | Missing nonce verification | ||
| #4462 | easy AMP | 56 | 10 | 24 | 600 | Input is not sanitized | ||
| #4463 | WP Clean Admin Menu | 56 | 29 | 11 | 2k+ | Output is not escaped | ||
| #4464 | Cache-Control | 57 | 26 | 4 | 1k+ | Output is not escaped | ||
| #4465 | Change Login Page Logo | 57 | 69 | 8 | 1k+ | Output is not escaped | ||
| #4466 | Cresta Social Share Counter | 57 | 12 | 13 | 2k+ | Output is not escaped | ||
| #4467 | Delete Pending Comments | 57 | 16 | 11 | 10k+ | Unsafe printing function | ||
| #4468 | Disable Cart Fragments by Optimocha | 57 | 8 | 13 | 10k+ | Nonce verification recommended | ||
| #4469 | Easy GDPR Consent Forms – MailChimp | 57 | 72 | 22 | 500 | Text Domain Mismatch | ||
| #4470 | Live Chat by Formilla – Real-time Chat & Chatbots Plugin | 57 | 22 | 13 | 2k+ | Missing Arg Domain | ||
| #4471 | APG Google Image Sitemap Feed | 57 | 36 | 33 | 900 | Non-prefixed global variable | ||
| #4472 | Gravity PDF | 57 | 116 | 152 | 20k+ | Non-prefixed global variable | ||
| #4473 | Hide Admin Notices | 57 | 9 | 16 | 20k+ | Input is not sanitized | ||
| #4474 | iZooto – Web Push Notifications | 57 | 26 | 25 | 1k+ | wp function not compatible with requires wp | ||
| #4475 | Jquery Validation For Contact Form 7 | 57 | 16 | 19 | 9k+ | Missing direct file access protection | ||
| #4476 | JSON API User | 57 | 17 | 34 | 1k+ | Non-prefixed hook name | ||
| #4477 | Logo Manager For Enamad – لوگوی نماد الکترونیکی | 57 | 18 | 14 | 5k+ | Output is not escaped | ||
| #4478 | Monri Payments | 57 | 141 | 47 | 900 | Text Domain Mismatch | ||
| #4479 | My WordPress Login Logo | 57 | 28 | 36 | 10k+ | Non-prefixed global variable | ||
| #4480 | Plethora Plugins Tabs + Accordions | 57 | 44 | 10 | 2k+ | Output is not escaped | ||
| #4481 | Plugin Notes | 57 | 17 | 29 | 400 | Input is not validated | ||
| #4482 | Protected Posts Logout Button | 57 | 10 | 20 | 1k+ | Input is not sanitized | ||
| #4483 | Public Post Preview | 57 | 8 | 11 | 100k+ | Nonce verification recommended | ||
| #4484 | Real-Time Find and Replace | 57 | 23 | 10 | 70k+ | Output is not escaped | ||
| #4485 | Remove admin menus by role | 57 | 5 | 54 | 8k+ | Input is not validated | ||
| #4486 | Replain | 57 | 21 | 9 | 700 | Output is not escaped | ||
| #4487 | Search Exclude | 57 | 73 | 40 | 50k+ | Text Domain Mismatch | ||
| #4488 | Simple CSS | 57 | 22 | 13 | 80k+ | Missing Version | ||
| #4489 | Site Health Tool Manager | 57 | 13 | 5 | 1k+ | Unsafe printing function | ||
| #4490 | Responsive Slideshow – Photo Carousel | 57 | 1 | 74 | 2k+ | Non-prefixed global variable | ||
| #4491 | Timologia for WooCommerce | 57 | 75 | 22 | 3k+ | Text Domain Mismatch | ||
| #4492 | Ultimate Member – Terms & Conditions | 57 | 19 | 9 | 4k+ | Output is not escaped | ||
| #4493 | WC Call For Price | 57 | 19 | 55 | 1k+ | Non-prefixed global variable | ||
| #4494 | Filter Orders by Product for WooCommerce | 57 | 9 | 21 | 4k+ | Nonce verification recommended | ||
| #4495 | WP Adsterra Dashboard | 57 | 22 | 21 | 400 | wp function not compatible with requires wp | ||
| #4496 | WP Table Builder – Drag & Drop Table Builder | 57 | 63 | 39 | 50k+ | Not Allowed | ||
| #4497 | WP Wrapper | 57 | 13 | 29 | 600 | Input is not validated | ||
| #4498 | Zoho Billing – Embed Payment Form | 57 | 22 | 10 | 400 | Output is not escaped | ||
| #4499 | Admin Page Notes | 58 | 17 | 15 | 700 | Text Domain Mismatch | ||
| #4500 | Web Accessibility Toolkit – Accessibility Checker & ARIA for WCAG, Section 508 & ADA Compliance | 58 | 9 | 20 | 500 | Output is not escaped |