WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4751Web and WooCommerce Addons for WPBakery Builder654971231k+Text Domain Mismatch
#4752VK Link Target Controller65131030k+Output is not escaped
#4753Websitescanner Custom Schema652819600wp function not compatible with requires wp
#4754Add to Cart Text Changer and Customize Button, Add Custom Icon6587182k+Text Domain Mismatch
#4755Ajaxify Comments – Ajax and Lazy Loading Comments6520383k+Non-prefixed hook name
#4756WP Change Default From Email6551710k+Non Singular String Literal Domain
#4757WP-Farsi652636600Non-prefixed function
#4758WP Max Submit Protect651912400Output is not escaped
#4759AC Advanced Flamingo Settings66632700Nonce verification recommended
#4760ACF: Rus-To-Lat6615112k+Output is not escaped
#4761WPAdmin AWS CDN6616142400Text Domain Mismatch
#4762Bopo – WooCommerce Product Bundle Builder661371351k+Text Domain Mismatch
#4763Bulk Term Generator – Import multiple tags, categories, and taxonomies easily668312k+Request data is not unslashed
#4764Calculated fields for ACF665181k+Non-prefixed global variable
#4765Social comments by WpDevArt669198k+Missing Version
#4766Cookie Warning661415700Non-prefixed function
#4767Custom Author Byline66118500Output is not escaped
#4768Debug Log Manager – Conveniently Monitor and Inspect Errors66334410k+Input is not validated
#4769Duplicate Menu66117100k+Unsafe printing function
#4770Elementic66229900Text Domain Mismatch
#4771Estatik Mortgage Calculator662261k+Output is not escaped
#4772Goaffpro Affiliate Marketing666284k+Nonce verification recommended
#4773Hide Title6613630k+Output is not escaped
#4774HiFi (Head Injection, Foot Injection)6613112k+Output is not escaped
#4775Leadpages6666210k+Direct Query
#4776Page Title Splitter662981k+wp function not compatible with requires wp
#4777Page Meta662614700Missing Arg Domain
#4778Plugin Compatibility Checker6673189k+Text Domain Mismatch
#4779Product Code for WooCommerce6613541k+Missing direct file access protection
#4780Product Size Chart For WooCommerce669226k+Non-prefixed hook name
#4781Mailchimp Widget by ProteusThemes661791k+Output is not escaped
#4782Raw HTML66173510k+Non-prefixed function
#4783Safe Redirect Manager6696040k+Non-prefixed hook name
#4784User Profile Picture66984k+Missing nonce verification
#4785Ajax add to cart for WooCommerce66673110k+Text Domain Mismatch
#4786WP Simple Adsense Insertion663293k+Input is not validated
#4787WP Anti-Clickjack664424k+Nonce verification recommended
#4788WP Multisite User Sync/Unsync661531700Missing Arg Domain
#4789WP Redis6611259k+Interpolated SQL is not prepared
#4790WP Term Images664182k+Nonce verification recommended
#4791Affiliates Manager Google reCAPTCHA Integration671810400Request data is not unslashed
#4792Awesome Contact Form7 for Elementor6720307k+Non-prefixed global variable
#4793Breadcrumbs Divi Module67443810k+Text Domain Mismatch
#4794Caddy – WooCommerce Side Cart & Free Shipping Bar67381993k+Non-prefixed global variable
#4795Custom CSS Pro671767k+Output is not escaped
#4796Duplicate TEC Event671210900date date
#4797Dynamic Text Field For Contact Form 7672071k+Unsafe printing function
#4798Easy Media Replace6716141k+Output is not escaped
#4799EU Cookies Bar for WordPress673699k+Request data is not unslashed
#4800Forget Spam Comment6751010k+Input is not sanitized