WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4851Sortable Word Count Reloaded681862k+Output is not escaped
#4852Title Toggle for Storefront Theme681693k+Output is not escaped
#4853Template List Metabox681410900Missing Arg Domain
#4854Increase Maximum Upload File Size68281440k+Missing Arg Domain
#4855Video Tab For WooCommerce68713600Missing nonce verification
#4856Thank You Page for WooCommerce6862710k+Non-prefixed global variable
#4857WP and Divi Icons68201562k+wp function not compatible with requires wp
#4858Solid Mail – SMTP email and logging made by SolidWP68161760k+Database parameter is not escaped
#4859WP Theme Changelogs681318900Nonce verification recommended
#4860WP User Avatars6852020k+Input is not sanitized
#4861YaySwatches – Variation Swatches for WooCommerce68281141k+Text Domain Mismatch
#4862Age Gate696113940k+Missing direct file access protection
#4863Auto Update Post Date6911231k+Input is not validated
#4864CallRail Phone Call Tracking69111210k+Input is not validated
#4865CDN Enabler6914710k+Output is not escaped
#4866Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons69222430k+Text Domain Mismatch
#4867Contact Form 7: Accessible Defaults693285k+Nonce verification recommended
#4868CryptX69113010k+Missing nonce verification
#4869Custom Category Template691382k+Missing Arg Domain
#4870Custom Login URL6916171k+Missing Arg Domain
#4871Debug6925342k+Input is not sanitized
#4872Disable Users691192k+Text Domain Mismatch
#4873DOKU Payment695346500wp function not compatible with requires wp
#4874Easy Auto Reload – Auto Refresh6937121k+Text Domain Mismatch
#4875ELEX WooCommerce Bulk Edit Products, Prices & Attributes (Basic)69511514k+Text Domain Mismatch
#4876ELEX WooCommerce Discount Per Payment Method6960391k+Text Domain Mismatch
#4877Embed Iframe692562k+wp function not compatible with requires wp
#4878GDPR Compliance for Mailchimp697152k+Missing nonce verification
#4879Google Plus Authorship696151k+trademarked term
#4880简数采集器695251k+Request data is not unslashed
#4881Mailster WordPress Newsletter Plugin6914118k+Output is not escaped
#4882Media Slider for Photos Images Videos6910232k+Missing Version
#4883Payment Gateway for PhonePe and for Woocommerce691514900Non Singular String Literal Domain
#4884PDF.js Viewer69143820k+Non-prefixed global variable
#4885Rename Taxonomies by WebMan693271k+Missing Arg Domain
#4886Scroll Down Arrow693030800Missing Arg Domain
#4887Search & Filter69212850k+Input is not sanitized
#4888Simple Login Lockdown691364k+Output is not escaped
#4889Simple YouTube Embed6911115k+Nonce verification recommended
#4890SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)69179527k+Non-prefixed global variable
#4891Easy Username Updater69192810k+Missing Arg Domain
#4892VWE – Voorheen Autodealers.nl692310500curl curl setopt
#4893WC Variations Radio Buttons6912213k+Non-prefixed global variable
#4894WP referrer spam blacklist (fight 2040+ Referrer Spammers in (Google/Matomo) Analytics)69924700Non-prefixed constant
#4895Zapper Payments691111600Output is not escaped
#4896Add Widget After Content706117k+Setting is missing a sanitization callback
#4897Checkfront Online Booking System7032162k+wp function not compatible with requires wp
#4898Comment Form CSRF Protection70710500Request data is not unslashed
#4899Comment Form Js Validation702382k+Missing Arg Domain
#4900Lead info with country for Contact Form 77025283k+Text Domain Mismatch