WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4501Basic User Avatars5817720k+Output is not escaped
#4502BCM Duplicate Menu588114k+Nonce verification recommended
#4503Customization for WP SEO5815102k+Unsafe printing function
#4504Debloat – Remove Unused CSS, Optimize JS58242030k+Nonce verification recommended
#4505Departamentos y Ciudades de Colombia para Woocommerce5849426k+Text Domain Mismatch
#4506Error Log Viewer by BestWebSoft584331726k+Text Domain Mismatch
#4507Flexible FAQ5827261k+Text Domain Mismatch
#4508Go Redirects URL Forwarder5817141k+Output is not escaped
#4509Gutenverse Form – Contact Form Builder, Block Form & Booking Form58174810k+Nonce verification recommended
#4510HAL5810624500Text Domain Mismatch
#4511Menu Swapper5820143k+Output is not escaped
#4512Nginx Cache5812810k+Unsafe printing function
#4513WP Online Active Users5826452k+Non-prefixed global variable
#4514PageLoader Lite – Loading Screen582917700Output is not escaped
#4515Quickcreator – AI Blog Writer581418500Exception output is not escaped
#4516Remove CPT base58151610k+Input is not sanitized
#4517Responsive Select Menu5829273k+Output is not escaped
#4518REVIEWS.io for WooCommerce58711611k+Non-prefixed global variable
#4519Rewrite Rules Inspector5875910k+Nonce verification recommended
#4520Safety Exit5852261k+Text Domain Mismatch
#4521Simple Back To Top5815433k+Non-prefixed global variable
#4522Simple CSS for widgets5811151k+Missing nonce verification
#4523SportsPress for Basketball58104341k+Text Domain Mismatch
#4524SportsPress for Football (Soccer)58107346k+Text Domain Mismatch
#4525SportsPress for Volleyball5810734500Text Domain Mismatch
#4526Super Simple Event Calendar58824600Request data is not unslashed
#4527UiCore Elements – Free widgets and templates for Elementor58293040k+Output is not escaped
#4528View Admin As583071359k+Non Singular String Literal Domain
#4529Cloak Affiliate Links for WooCommerce582862k+Non Singular String Literal Domain
#4530Age Gator59915400Direct Query
#4531AudioIgniter Music Player595310k+Input is not validated
#4532Posts Order5959201k+Text Domain Mismatch
#4533Co-Authors Plus5927620k+Input is not sanitized
#4534Connect SendGrid for Emails5937103900Missing direct file access protection
#4535Cresta Posts Box5910131k+Output is not escaped
#4536Disabled Source, Disabled Right Click and Content Protection5963310k+Nonce verification recommended
#4537ELEX WooCommerce Name Your Price59295117600Missing Arg Domain
#4538etracker analytics591691k+Exception output is not escaped
#4539Fathom Analytics Conversions591447400Non-prefixed function
#4540File Upload For WPForms – Filenzo598161k+Output is not escaped
#4541flowpaper59133110k+Non-prefixed function
#4542GDPR Data Request Form5922195k+Missing direct file access protection
#4543Getty Images5911462k+Missing nonce verification
#4544Gravity Forms: Notification Attachments59187500Output is not escaped
#4545Gravity Forms Approvals Add-On59176800Output is not escaped
#4546GravityWP – Merge Tags59161722k+Non-prefixed global variable
#4547MapGeo – Interactive Geo Maps59145140k+Non-prefixed hook name
#4548JetSticky For Elementor59133830k+Nonce verification recommended
#4549Lazy Loader596249k+Nonce verification recommended
#4550Logo or Image Replace by mycore.global593012400Text Domain Mismatch