WordPress Sentinel Plugin Exposes Critical Input Sanitization Flaw in $_POST Handling

A critical vulnerability has been identified in the WordPress Sentinel plugin, stemming from improper handling of user input. The flaw resides in the plugin's failure to apply the `wp_unslash()` function to `$_POST` superglobal arrays before sanitizing them with functions like `sanitize_text_field`. Because WordPress automatically applies 'magic quotes'—adding slashes—to incoming request data, sanitizing the raw `$_POST` array means the slashes are not removed, leaving potentially malicious input intact within the system.

The issue is not uniform; it depends on the sanitization function used. For text or mixed arrays sanitized with `sanitize_text_field`, the missing `wp_unslash()` is a direct security risk, as the slashes remain. However, for arrays processed with `absint`—which coerces values to non-negative integers—the function is immune to slash-related issues, making the unslashing step unnecessary in those specific cases. This creates a patchwork of security postures within the same codebase.

The vulnerability underscores a fundamental WordPress security principle: `wp_unslash()` must be applied recursively to the entire array structure *before* any element-level string sanitization. The fix requires developers to audit all instances where `array_map` is used with string sanitization functions on `$_POST` data and ensure `wp_unslash()` is called first. This prevents slashed data from bypassing intended sanitization filters, closing a potential vector for injection attacks.