WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4751 | Web and WooCommerce Addons for WPBakery Builder | 65 | 497 | 123 | 1k+ | Text Domain Mismatch | ||
| #4752 | VK Link Target Controller | 65 | 13 | 10 | 30k+ | Output is not escaped | ||
| #4753 | Websitescanner Custom Schema | 65 | 28 | 19 | 600 | wp function not compatible with requires wp | ||
| #4754 | Add to Cart Text Changer and Customize Button, Add Custom Icon | 65 | 87 | 18 | 2k+ | Text Domain Mismatch | ||
| #4755 | Ajaxify Comments – Ajax and Lazy Loading Comments | 65 | 20 | 38 | 3k+ | Non-prefixed hook name | ||
| #4756 | WP Change Default From Email | 65 | 51 | 7 | 10k+ | Non Singular String Literal Domain | ||
| #4757 | WP-Farsi | 65 | 26 | 36 | 600 | Non-prefixed function | ||
| #4758 | WP Max Submit Protect | 65 | 19 | 12 | 400 | Output is not escaped | ||
| #4759 | AC Advanced Flamingo Settings | 66 | 6 | 32 | 700 | Nonce verification recommended | ||
| #4760 | ACF: Rus-To-Lat | 66 | 15 | 11 | 2k+ | Output is not escaped | ||
| #4761 | WPAdmin AWS CDN | 66 | 161 | 42 | 400 | Text Domain Mismatch | ||
| #4762 | Bopo – WooCommerce Product Bundle Builder | 66 | 137 | 135 | 1k+ | Text Domain Mismatch | ||
| #4763 | Bulk Term Generator – Import multiple tags, categories, and taxonomies easily | 66 | 8 | 31 | 2k+ | Request data is not unslashed | ||
| #4764 | Calculated fields for ACF | 66 | 5 | 18 | 1k+ | Non-prefixed global variable | ||
| #4765 | Social comments by WpDevArt | 66 | 9 | 19 | 8k+ | Missing Version | ||
| #4766 | Cookie Warning | 66 | 14 | 15 | 700 | Non-prefixed function | ||
| #4767 | Custom Author Byline | 66 | 11 | 8 | 500 | Output is not escaped | ||
| #4768 | Debug Log Manager – Conveniently Monitor and Inspect Errors | 66 | 33 | 44 | 10k+ | Input is not validated | ||
| #4769 | Duplicate Menu | 66 | 11 | 7 | 100k+ | Unsafe printing function | ||
| #4770 | Elementic | 66 | 22 | 9 | 900 | Text Domain Mismatch | ||
| #4771 | Estatik Mortgage Calculator | 66 | 22 | 6 | 1k+ | Output is not escaped | ||
| #4772 | Goaffpro Affiliate Marketing | 66 | 6 | 28 | 4k+ | Nonce verification recommended | ||
| #4773 | Hide Title | 66 | 13 | 6 | 30k+ | Output is not escaped | ||
| #4774 | HiFi (Head Injection, Foot Injection) | 66 | 13 | 11 | 2k+ | Output is not escaped | ||
| #4775 | Leadpages | 66 | 6 | 62 | 10k+ | Direct Query | ||
| #4776 | Page Title Splitter | 66 | 29 | 8 | 1k+ | wp function not compatible with requires wp | ||
| #4777 | Page Meta | 66 | 26 | 14 | 700 | Missing Arg Domain | ||
| #4778 | Plugin Compatibility Checker | 66 | 73 | 18 | 9k+ | Text Domain Mismatch | ||
| #4779 | Product Code for WooCommerce | 66 | 13 | 54 | 1k+ | Missing direct file access protection | ||
| #4780 | Product Size Chart For WooCommerce | 66 | 9 | 22 | 6k+ | Non-prefixed hook name | ||
| #4781 | Mailchimp Widget by ProteusThemes | 66 | 17 | 9 | 1k+ | Output is not escaped | ||
| #4782 | Raw HTML | 66 | 17 | 35 | 10k+ | Non-prefixed function | ||
| #4783 | Safe Redirect Manager | 66 | 9 | 60 | 40k+ | Non-prefixed hook name | ||
| #4784 | User Profile Picture | 66 | 9 | 8 | 4k+ | Missing nonce verification | ||
| #4785 | Ajax add to cart for WooCommerce | 66 | 67 | 31 | 10k+ | Text Domain Mismatch | ||
| #4786 | WP Simple Adsense Insertion | 66 | 3 | 29 | 3k+ | Input is not validated | ||
| #4787 | WP Anti-Clickjack | 66 | 4 | 42 | 4k+ | Nonce verification recommended | ||
| #4788 | WP Multisite User Sync/Unsync | 66 | 15 | 31 | 700 | Missing Arg Domain | ||
| #4789 | WP Redis | 66 | 11 | 25 | 9k+ | Interpolated SQL is not prepared | ||
| #4790 | WP Term Images | 66 | 4 | 18 | 2k+ | Nonce verification recommended | ||
| #4791 | Affiliates Manager Google reCAPTCHA Integration | 67 | 18 | 10 | 400 | Request data is not unslashed | ||
| #4792 | Awesome Contact Form7 for Elementor | 67 | 20 | 30 | 7k+ | Non-prefixed global variable | ||
| #4793 | Breadcrumbs Divi Module | 67 | 44 | 38 | 10k+ | Text Domain Mismatch | ||
| #4794 | Caddy – WooCommerce Side Cart & Free Shipping Bar | 67 | 38 | 199 | 3k+ | Non-prefixed global variable | ||
| #4795 | Custom CSS Pro | 67 | 17 | 6 | 7k+ | Output is not escaped | ||
| #4796 | Duplicate TEC Event | 67 | 12 | 10 | 900 | date date | ||
| #4797 | Dynamic Text Field For Contact Form 7 | 67 | 20 | 7 | 1k+ | Unsafe printing function | ||
| #4798 | Easy Media Replace | 67 | 16 | 14 | 1k+ | Output is not escaped | ||
| #4799 | EU Cookies Bar for WordPress | 67 | 3 | 69 | 9k+ | Request data is not unslashed | ||
| #4800 | Forget Spam Comment | 67 | 5 | 10 | 10k+ | Input is not sanitized |