WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4901 | Lead info with country for Contact Form 7 | 70 | 25 | 28 | 3k+ | Text Domain Mismatch | ||
| #4902 | ConvertCalculator: Build Cost, Price, Quotation, ROI Interactive Calculators | 70 | 9 | 12 | 800 | Output is not escaped | ||
| #4903 | Gutenberg Blocks Templates – 50+ Free Gutenberg Block Designs | 70 | 2 | 23 | 700 | Request data is not unslashed | ||
| #4904 | fitness calculators | 70 | 94 | 25 | 600 | Missing Arg Domain | ||
| #4905 | Free Gift Product For WooCommerce | 70 | 9 | 77 | 800 | Non-prefixed global variable | ||
| #4906 | Host Header Injection Fix | 70 | 9 | 8 | 400 | Output is not escaped | ||
| #4907 | Multipart robots.txt editor | 70 | 19 | 8 | 1k+ | Output is not escaped | ||
| #4908 | onepay Payment Gateway For WooCommerce | 70 | 49 | 13 | 900 | Text Domain Mismatch | ||
| #4909 | PipraPay Gateway | 70 | 11 | 6 | 400 | Output is not escaped | ||
| #4910 | Portfolio Post Type | 70 | 7 | 11 | 50k+ | Nonce verification recommended | ||
| #4911 | Post Grid & Post Slider – Carousel, Filter Tabs & Related Posts | 70 | 6 | 53 | 1k+ | Request data is not unslashed | ||
| #4912 | Press This | 70 | 1 | 44 | 5k+ | Non-prefixed hook name | ||
| #4913 | Remove Taxonomy Base Slug | 70 | 12 | 18 | 5k+ | Deprecated parameter: get_terms parameter 2 | ||
| #4914 | Show-Hide / Collapse-Expand | 70 | 18 | 15 | 10k+ | Missing direct file access protection | ||
| #4915 | Show IP address | 70 | 6 | 20 | 1k+ | Input is not sanitized | ||
| #4916 | Simple Login Captcha | 70 | 20 | 19 | 10k+ | date date | ||
| #4917 | Simple Post Notes | 70 | 5 | 16 | 9k+ | Request data is not unslashed | ||
| #4918 | Spocket ‑ US & EU Dropshipping | 70 | 15 | 31 | 1k+ | Direct Query | ||
| #4919 | SQL Executioner | 70 | 18 | 17 | 2k+ | Non-prefixed global variable | ||
| #4920 | SubHeading | 70 | 22 | 13 | 1k+ | Non Singular String Literal Domain | ||
| #4921 | Support Me | 70 | 12 | 6 | 900 | Unsafe printing function | ||
| #4922 | User Location and IP | 70 | 2 | 25 | 400 | Input is not sanitized | ||
| #4923 | Block Emails & Addresses for WooCommerce Checkout | 70 | 4 | 12 | 700 | error log set error handler | ||
| #4924 | Bulk Price Update for Woocommerce | 70 | 2 | 28 | 2k+ | Request data is not unslashed | ||
| #4925 | Cart All In One For WooCommerce | 70 | 6 | 150 | 5k+ | Non-prefixed global variable | ||
| #4926 | Related Products for WooCommerce | 70 | 12 | 12 | 3k+ | Setting is missing a sanitization callback | ||
| #4927 | Quick Buy For Woocommerce | 70 | 105 | 22 | 1k+ | Text Domain Mismatch | ||
| #4928 | Post Template | 70 | 12 | 11 | 400 | Missing nonce verification | ||
| #4929 | Yampi Checkout | 70 | 6 | 10 | 900 | Nonce verification recommended | ||
| #4930 | aapanel WP Toolkit | 71 | 20 | 18 | 2k+ | wp function not compatible with requires wp | ||
| #4931 | Web Accessibility with Max Access | 71 | 22 | 11 | 800 | curl curl setopt | ||
| #4932 | Add Any Extension to Pages | 71 | 3 | 10 | 2k+ | Input is not sanitized | ||
| #4933 | Change Administrator Email Address | 71 | 12 | 9 | 700 | Output is not escaped | ||
| #4934 | Contact Form 7 Confirm Email Field | 71 | 35 | 11 | 2k+ | Text Domain Mismatch | ||
| #4935 | Cresta Social Messenger | 71 | 9 | 10 | 1k+ | Non-prefixed function | ||
| #4936 | Event SEO: Event Schema / Structured Data: Google Rich Snippet Schema for Event | 71 | 24 | 49 | 700 | Non-prefixed global variable | ||
| #4937 | GPX Viewer | 71 | 10 | 26 | 900 | Missing Version | ||
| #4938 | Nginx Helper | 71 | 47 | 60 | 200k+ | Non-prefixed global variable | ||
| #4939 | Privyr CRM – Instant Lead Alerts for Contact Forms | 71 | 2 | 25 | 4k+ | Non-prefixed function | ||
| #4940 | Repeater Fields for WPForms | 71 | 173 | 18 | 500 | wp function not compatible with requires wp | ||
| #4941 | Tax Switch for WooCommerce | 71 | 3 | 20 | 900 | Non-prefixed hook name | ||
| #4942 | WindPress – Tailwind CSS integration for WordPress | 71 | 16 | 106 | 3k+ | Non-prefixed hook name | ||
| #4943 | Woorise – Landing Pages, Forms & Surveys | 71 | 8 | 14 | 1k+ | Input is not sanitized | ||
| #4944 | WP 4 Me Title Remover | 71 | 17 | 13 | 1k+ | Missing direct file access protection | ||
| #4945 | Multi-Step Checkout for WooCommerce | 71 | 38 | 104 | 8k+ | Non-prefixed global variable | ||
| #4946 | WP No Base Permalink | 71 | 8 | 10 | 10k+ | Unsafe printing function | ||
| #4947 | WP Widget in Navigation | 71 | 37 | 15 | 3k+ | Non Singular String Literal Domain | ||
| #4948 | Zapier for WordPress | 71 | 11 | 21 | 50k+ | Input is not sanitized | ||
| #4949 | Web Accessibility by accessiBe | 72 | 1 | 25 | 10k+ | Input is not sanitized | ||
| #4950 | Archiiv | 72 | 6 | 30 | 400 | Non-prefixed global variable |