WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4901Lead info with country for Contact Form 77025283k+Text Domain Mismatch
#4902ConvertCalculator: Build Cost, Price, Quotation, ROI Interactive Calculators70912800Output is not escaped
#4903Gutenberg Blocks Templates – 50+ Free Gutenberg Block Designs70223700Request data is not unslashed
#4904fitness calculators709425600Missing Arg Domain
#4905Free Gift Product For WooCommerce70977800Non-prefixed global variable
#4906Host Header Injection Fix7098400Output is not escaped
#4907Multipart robots.txt editor701981k+Output is not escaped
#4908onepay Payment Gateway For WooCommerce704913900Text Domain Mismatch
#4909PipraPay Gateway70116400Output is not escaped
#4910Portfolio Post Type7071150k+Nonce verification recommended
#4911Post Grid & Post Slider – Carousel, Filter Tabs & Related Posts706531k+Request data is not unslashed
#4912Press This701445k+Non-prefixed hook name
#4913Remove Taxonomy Base Slug7012185k+Deprecated parameter: get_terms parameter 2
#4914Show-Hide / Collapse-Expand70181510k+Missing direct file access protection
#4915Show IP address706201k+Input is not sanitized
#4916Simple Login Captcha70201910k+date date
#4917Simple Post Notes705169k+Request data is not unslashed
#4918Spocket ‑ US & EU Dropshipping7015311k+Direct Query
#4919SQL Executioner7018172k+Non-prefixed global variable
#4920SubHeading7022131k+Non Singular String Literal Domain
#4921Support Me70126900Unsafe printing function
#4922User Location and IP70225400Input is not sanitized
#4923Block Emails & Addresses for WooCommerce Checkout70412700error log set error handler
#4924Bulk Price Update for Woocommerce702282k+Request data is not unslashed
#4925Cart All In One For WooCommerce7061505k+Non-prefixed global variable
#4926Related Products for WooCommerce7012123k+Setting is missing a sanitization callback
#4927Quick Buy For Woocommerce70105221k+Text Domain Mismatch
#4928Post Template701211400Missing nonce verification
#4929Yampi Checkout70610900Nonce verification recommended
#4930aapanel WP Toolkit7120182k+wp function not compatible with requires wp
#4931Web Accessibility with Max Access712211800curl curl setopt
#4932Add Any Extension to Pages713102k+Input is not sanitized
#4933Change Administrator Email Address71129700Output is not escaped
#4934Contact Form 7 Confirm Email Field7135112k+Text Domain Mismatch
#4935Cresta Social Messenger719101k+Non-prefixed function
#4936Event SEO: Event Schema / Structured Data: Google Rich Snippet Schema for Event712449700Non-prefixed global variable
#4937GPX Viewer711026900Missing Version
#4938Nginx Helper714760200k+Non-prefixed global variable
#4939Privyr CRM – Instant Lead Alerts for Contact Forms712254k+Non-prefixed function
#4940Repeater Fields for WPForms7117318500wp function not compatible with requires wp
#4941Tax Switch for WooCommerce71320900Non-prefixed hook name
#4942WindPress – Tailwind CSS integration for WordPress71161063k+Non-prefixed hook name
#4943Woorise – Landing Pages, Forms & Surveys718141k+Input is not sanitized
#4944WP 4 Me Title Remover7117131k+Missing direct file access protection
#4945Multi-Step Checkout for WooCommerce71381048k+Non-prefixed global variable
#4946WP No Base Permalink7181010k+Unsafe printing function
#4947WP Widget in Navigation7137153k+Non Singular String Literal Domain
#4948Zapier for WordPress71112150k+Input is not sanitized
#4949Web Accessibility by accessiBe7212510k+Input is not sanitized
#4950Archiiv72630400Non-prefixed global variable