WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4601 | Country and State Selection Addon for Gravity Forms | 61 | 14 | 26 | 1k+ | Non-prefixed constant | ||
| #4602 | GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor | 61 | 9 | 119 | 80k+ | Non-prefixed global variable | ||
| #4603 | Hide Admin Bar For User Roles | 61 | 38 | 10 | 500 | Output is not escaped | ||
| #4604 | Marker.io – Visual Website Feedback | 61 | 6 | 31 | 4k+ | Request data is not unslashed | ||
| #4605 | Mentions Legales Par Webdeclic | 61 | 82 | 39 | 500 | Non Singular String Literal Domain | ||
| #4606 | Reorder Posts – Quick Post Type and Page Ordering | 61 | 10 | 23 | 10k+ | Request data is not unslashed | ||
| #4607 | Multiple Post Passwords | 61 | 13 | 15 | 2k+ | Output is not escaped | ||
| #4608 | Newspack Newsletters | 61 | 53 | 47 | 1k+ | Request data is not unslashed | ||
| #4609 | Order On Mobile for WooCommerce | 61 | 37 | 15 | 2k+ | Text Domain Mismatch | ||
| #4610 | Organic Custom Content | 61 | 8 | 18 | 700 | Input is not sanitized | ||
| #4611 | Post/Page Import Export – Migrate Content with Custom Fields & Taxonomies | 61 | 12 | 27 | 400 | Input is not sanitized | ||
| #4612 | Powerkit – Supercharge your WordPress Site | 61 | 67 | 116 | 10k+ | Non-prefixed global variable | ||
| #4613 | Publish Post Email Notification | 61 | 16 | 18 | 600 | Output is not escaped | ||
| #4614 | Qikink Print On Demand and DropShipping | 61 | 14 | 23 | 1k+ | Input is not validated | ||
| #4615 | Remove Featured Image | 61 | 21 | 12 | 1k+ | Missing Arg Domain | ||
| #4616 | SHK Hide Title | 61 | 19 | 4 | 3k+ | Output is not escaped | ||
| #4617 | Simple User Avatar | 61 | 8 | 14 | 20k+ | Output is not escaped | ||
| #4618 | Slider Factory | 61 | 3 | 414 | 2k+ | Non-prefixed global variable | ||
| #4619 | SSL Certificate Manager | 61 | 14 | 7 | 600 | Output is not escaped | ||
| #4620 | Team Showcase | 61 | 1 | 125 | 1k+ | slow db query meta key | ||
| #4621 | Text Domain Inspector | 61 | 41 | 36 | 400 | Non-prefixed global variable | ||
| #4622 | Two Factor (2FA) Authentication via Email | 61 | 12 | 27 | 9k+ | Request data is not unslashed | ||
| #4623 | whatwedo ACF Cleaner | 61 | 8 | 20 | 800 | Input is not validated | ||
| #4624 | When Last Login – Export User Records | 61 | 18 | 13 | 500 | Output is not escaped | ||
| #4625 | Order Weight for WooCommerce | 61 | 24 | 34 | 600 | Text Domain Mismatch | ||
| #4626 | Products Restricted Users for WooCommerce | 61 | 31 | 24 | 400 | wp function not compatible with requires wp | ||
| #4627 | More Sorting Options for WooCommerce | 61 | 27 | 17 | 3k+ | Output is not escaped | ||
| #4628 | wp-cleanumlauts2 | 61 | 32 | 22 | 1k+ | Output is not escaped | ||
| #4629 | WP-CORS | 61 | 7 | 23 | 1k+ | error log error log | ||
| #4630 | RSS Feed Retriever | 61 | 23 | 8 | 7k+ | wp function not compatible with requires wp | ||
| #4631 | WP YouTube Player | 61 | 14 | 17 | 1k+ | Output is not escaped | ||
| #4632 | Add Meta Tag Keywords | 62 | 6 | 15 | 1k+ | Missing nonce verification | ||
| #4633 | AMP Contact FORM 7 – AMPCF7 | 62 | 9 | 13 | 500 | Input is not validated | ||
| #4634 | AMS Post And Page Duplicator | 62 | 14 | 13 | 600 | Text Domain Mismatch | ||
| #4635 | ARI Fancy Lightbox – Popup for WordPress | 62 | 8 | 107 | 10k+ | Non-prefixed namespace | ||
| #4636 | Contact Form 7 – Blacklist Unwanted Email | 62 | 16 | 11 | 400 | Missing direct file access protection | ||
| #4637 | Bulk edit publish date | 62 | 11 | 16 | 1k+ | Nonce verification recommended | ||
| #4638 | Bulk Page Creator | 62 | 9 | 17 | 10k+ | Request data is not unslashed | ||
| #4639 | Carousel Slider | 62 | 71 | 30k+ | Non-prefixed global variable | |||
| #4640 | Christmas Panda | 62 | 14 | 45 | 400 | Input is not validated | ||
| #4641 | Custom Permalink Editor | 62 | 4 | 51 | 3k+ | Non-prefixed hook name | ||
| #4642 | Custom Sidebars by ProteusThemes | 62 | 17 | 23 | 1k+ | Missing nonce verification | ||
| #4643 | Dashboard Widget Sidebar | 62 | 9 | 16 | 400 | Input is not validated | ||
| #4644 | Devices for Elementor | 62 | 22 | 13 | 400 | Output is not escaped | ||
| #4645 | Disable Visual Editor WYSIWYG | 62 | 10 | 12 | 1k+ | Nonce verification recommended | ||
| #4646 | Falcon – WordPress Optimizations & Tweaks | 62 | 47 | 66 | 2k+ | Short PHP open tag found | ||
| #4647 | Get Chat App | 62 | 10 | 62 | 400 | Request data is not unslashed | ||
| #4648 | GetGenie – AI Content Writer with Keyword Research & SEO Tracking | 62 | 13 | 39 | 80k+ | Nonce verification recommended | ||
| #4649 | Hestia Nginx Cache | 62 | 21 | 8 | 1k+ | Output is not escaped | ||
| #4650 | Import entries for Gravity Forms | 62 | 6 | 26 | 500 | Input is not validated |