diff --git a/includes/class-wc-payments-onboarding-service.php b/includes/class-wc-payments-onboarding-service.php
index 58049816d70..0d477f944d2 100644
--- a/includes/class-wc-payments-onboarding-service.php
+++ b/includes/class-wc-payments-onboarding-service.php
@@ -199,7 +199,8 @@ public function get_capabilities_from_request(): array {
 		// Try to extract the capabilities.
 		// They might be already decoded or not, so we need to handle both cases.
 		// We expect them to be an array.
-		$capabilities = wc_clean( wp_unslash( $_REQUEST['capabilities'] ) ); // phpcs:disable WordPress.Security.NonceVerification.Recommended
+		// phpcs:disable WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		$capabilities = wp_unslash( $_REQUEST['capabilities'] );
 		if ( ! is_array( $capabilities ) ) {
 			$capabilities = json_decode( $capabilities, true ) ?? [];
 		}