WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4851 | Sortable Word Count Reloaded | 68 | 18 | 6 | 2k+ | Output is not escaped | ||
| #4852 | Title Toggle for Storefront Theme | 68 | 16 | 9 | 3k+ | Output is not escaped | ||
| #4853 | Template List Metabox | 68 | 14 | 10 | 900 | Missing Arg Domain | ||
| #4854 | Increase Maximum Upload File Size | 68 | 28 | 14 | 40k+ | Missing Arg Domain | ||
| #4855 | Video Tab For WooCommerce | 68 | 7 | 13 | 600 | Missing nonce verification | ||
| #4856 | Thank You Page for WooCommerce | 68 | 6 | 27 | 10k+ | Non-prefixed global variable | ||
| #4857 | WP and Divi Icons | 68 | 201 | 56 | 2k+ | wp function not compatible with requires wp | ||
| #4858 | Solid Mail – SMTP email and logging made by SolidWP | 68 | 16 | 17 | 60k+ | Database parameter is not escaped | ||
| #4859 | WP Theme Changelogs | 68 | 13 | 18 | 900 | Nonce verification recommended | ||
| #4860 | WP User Avatars | 68 | 5 | 20 | 20k+ | Input is not sanitized | ||
| #4861 | YaySwatches – Variation Swatches for WooCommerce | 68 | 281 | 14 | 1k+ | Text Domain Mismatch | ||
| #4862 | Age Gate | 69 | 61 | 139 | 40k+ | Missing direct file access protection | ||
| #4863 | Auto Update Post Date | 69 | 11 | 23 | 1k+ | Input is not validated | ||
| #4864 | CallRail Phone Call Tracking | 69 | 11 | 12 | 10k+ | Input is not validated | ||
| #4865 | CDN Enabler | 69 | 14 | 7 | 10k+ | Output is not escaped | ||
| #4866 | Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons | 69 | 22 | 24 | 30k+ | Text Domain Mismatch | ||
| #4867 | Contact Form 7: Accessible Defaults | 69 | 3 | 28 | 5k+ | Nonce verification recommended | ||
| #4868 | CryptX | 69 | 11 | 30 | 10k+ | Missing nonce verification | ||
| #4869 | Custom Category Template | 69 | 13 | 8 | 2k+ | Missing Arg Domain | ||
| #4870 | Custom Login URL | 69 | 16 | 17 | 1k+ | Missing Arg Domain | ||
| #4871 | Debug | 69 | 25 | 34 | 2k+ | Input is not sanitized | ||
| #4872 | Disable Users | 69 | 11 | 9 | 2k+ | Text Domain Mismatch | ||
| #4873 | DOKU Payment | 69 | 53 | 46 | 500 | wp function not compatible with requires wp | ||
| #4874 | Easy Auto Reload – Auto Refresh | 69 | 37 | 12 | 1k+ | Text Domain Mismatch | ||
| #4875 | ELEX WooCommerce Bulk Edit Products, Prices & Attributes (Basic) | 69 | 511 | 51 | 4k+ | Text Domain Mismatch | ||
| #4876 | ELEX WooCommerce Discount Per Payment Method | 69 | 60 | 39 | 1k+ | Text Domain Mismatch | ||
| #4877 | Embed Iframe | 69 | 25 | 6 | 2k+ | wp function not compatible with requires wp | ||
| #4878 | GDPR Compliance for Mailchimp | 69 | 7 | 15 | 2k+ | Missing nonce verification | ||
| #4879 | Google Plus Authorship | 69 | 6 | 15 | 1k+ | trademarked term | ||
| #4880 | 简数采集器 | 69 | 5 | 25 | 1k+ | Request data is not unslashed | ||
| #4881 | Mailster WordPress Newsletter Plugin | 69 | 14 | 11 | 8k+ | Output is not escaped | ||
| #4882 | Media Slider for Photos Images Videos | 69 | 10 | 23 | 2k+ | Missing Version | ||
| #4883 | Payment Gateway for PhonePe and for Woocommerce | 69 | 15 | 14 | 900 | Non Singular String Literal Domain | ||
| #4884 | PDF.js Viewer | 69 | 14 | 38 | 20k+ | Non-prefixed global variable | ||
| #4885 | Rename Taxonomies by WebMan | 69 | 32 | 7 | 1k+ | Missing Arg Domain | ||
| #4886 | Scroll Down Arrow | 69 | 30 | 30 | 800 | Missing Arg Domain | ||
| #4887 | Search & Filter | 69 | 21 | 28 | 50k+ | Input is not sanitized | ||
| #4888 | Simple Login Lockdown | 69 | 13 | 6 | 4k+ | Output is not escaped | ||
| #4889 | Simple YouTube Embed | 69 | 11 | 11 | 5k+ | Nonce verification recommended | ||
| #4890 | SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) | 69 | 17 | 952 | 7k+ | Non-prefixed global variable | ||
| #4891 | Easy Username Updater | 69 | 19 | 28 | 10k+ | Missing Arg Domain | ||
| #4892 | VWE – Voorheen Autodealers.nl | 69 | 23 | 10 | 500 | curl curl setopt | ||
| #4893 | WC Variations Radio Buttons | 69 | 12 | 21 | 3k+ | Non-prefixed global variable | ||
| #4894 | WP referrer spam blacklist (fight 2040+ Referrer Spammers in (Google/Matomo) Analytics) | 69 | 9 | 24 | 700 | Non-prefixed constant | ||
| #4895 | Zapper Payments | 69 | 11 | 11 | 600 | Output is not escaped | ||
| #4896 | Add Widget After Content | 70 | 6 | 11 | 7k+ | Setting is missing a sanitization callback | ||
| #4897 | Checkfront Online Booking System | 70 | 32 | 16 | 2k+ | wp function not compatible with requires wp | ||
| #4898 | Comment Form CSRF Protection | 70 | 7 | 10 | 500 | Request data is not unslashed | ||
| #4899 | Comment Form Js Validation | 70 | 23 | 8 | 2k+ | Missing Arg Domain | ||
| #4900 | Lead info with country for Contact Form 7 | 70 | 25 | 28 | 3k+ | Text Domain Mismatch |