PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing
Setting is missing a sanitization callback
A registered setting does not define a sanitization callback.
Why It Shows Up
Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.
Why It Matters
Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.
How to Fix
- Pass a `sanitize_callback` in the `register_setting()` arguments.
- Use built-in sanitizers for simple values and custom callbacks for structured settings.
- Validate allowed values and return a safe default when input is invalid.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #451 | TrustMate.io – WooCommerce integration | 36 | 251 | 97 | 3k+ | Output is not escaped | ||
| #452 | Ubigeo de Perú para Woocommerce y WordPress | 36 | 191 | 235 | 4k+ | Non-prefixed function | ||
| #453 | Disable Payment Methods based on cart conditions for WooCommerce | 36 | 158 | 57 | 1k+ | Non Singular String Literal Domain | ||
| #454 | Add to Cart Redirect for WooCommerce | 37 | 215 | 141 | 8k+ | Text Domain Mismatch | ||
| #455 | AJAX Hits Counter + Popular Posts Widget | 37 | 247 | 44 | 1k+ | Output is not escaped | ||
| #456 | Async JS and CSS | 37 | 90 | 1 | 700 | Text Domain Mismatch | ||
| #457 | Before After Image Comparison Slider for Elementor | 37 | 90 | 41 | 10k+ | Text Domain Mismatch | ||
| #458 | Blog News Addons For Elementor (News, Magazine and Blog Addons) | 37 | 23 | 296 | 400 | Non-prefixed global variable | ||
| #459 | Customize WordPress Emails and Alerts – Better Notifications for WP | 37 | 64 | 47 | 30k+ | Missing Arg Domain | ||
| #460 | Contact Zalo Report SW | 37 | 44 | 39 | 900 | Missing Arg Domain | ||
| #461 | Delivery Date Time & Pickup for WooCommerce | 37 | 148 | 216 | 400 | Output is not escaped | ||
| #462 | Catalog Booster & Product Catalog Mode for WooCommerce | 37 | 106 | 168 | 1k+ | Non-prefixed function | ||
| #463 | Duo Two-Factor Authentication | 37 | 44 | 61 | 3k+ | Missing nonce verification | ||
| #464 | Pricing Table WordPress Plugin – Easy Pricing Tables | 37 | 332 | 161 | 10k+ | Output is not escaped | ||
| #465 | WP eBay Product Feeds | 37 | 136 | 31 | 700 | Output is not escaped | ||
| #466 | Favorites | 37 | 204 | 121 | 10k+ | Unsafe printing function | ||
| #467 | GoCache | 37 | 273 | 43 | 900 | Non Singular String Literal Domain | ||
| #468 | Lightbox with PhotoSwipe | 37 | 179 | 24 | 20k+ | Output is not escaped | ||
| #469 | PiWeb Live sales notification for WooCommerce | 37 | 289 | 77 | 30k+ | Text Domain Mismatch | ||
| #470 | LiveAgent – Omnichannel Help Desk & Live Chat Software | 37 | 125 | 142 | 400 | Non Singular String Literal Domain | ||
| #471 | Sendle Shipping Plugin | 37 | 91 | 64 | 800 | wp function not compatible with requires wp | ||
| #472 | Optin Forms – Simple List Building Plugin for WordPress | 37 | 647 | 22 | 3k+ | Output is not escaped | ||
| #473 | Product Image Hover Effects WOOC – WPSHARE247 | 37 | 161 | 94 | 800 | Output is not escaped | ||
| #474 | Product page shipping calculator for WooCommerce | 37 | 217 | 117 | 1k+ | Text Domain Mismatch | ||
| #475 | resmio button & widget | 37 | 99 | 36 | 400 | Text Domain Mismatch | ||
| #476 | Reusable Content Blocks | 37 | 349 | 14 | 4k+ | Text Domain Mismatch | ||
| #477 | Rich Table of Contents | 37 | 262 | 57 | 20k+ | Output is not escaped | ||
| #478 | Robots & Sitemap | 37 | 199 | 28 | 500 | Text Domain Mismatch | ||
| #479 | Snippet Shortcodes | 37 | 359 | 133 | 4k+ | Non Singular String Literal Domain | ||
| #480 | Skimlinks Affiliate Marketing Tool | 37 | 84 | 19 | 800 | wp function not compatible with requires wp | ||
| #481 | Theme Builder For Elementor | 37 | 477 | 28 | 2k+ | Text Domain Mismatch | ||
| #482 | User Meta Display | 37 | 78 | 74 | 500 | Output is not escaped | ||
| #483 | Varnish/Nginx Proxy Caching | 37 | 287 | 36 | 600 | Output is not escaped | ||
| #484 | Skroutz & Bestprice XML feed for WooCommerce | 37 | 161 | 41 | 1k+ | Text Domain Mismatch | ||
| #485 | WP Category Permalink | 37 | 75 | 31 | 2k+ | Output is not escaped | ||
| #486 | WP Export Categories & Taxonomies | 37 | 169 | 35 | 500 | Output is not escaped | ||
| #487 | XT Visitor Counter | 37 | 177 | 52 | 7k+ | Output is not escaped | ||
| #488 | Yada Wiki | 37 | 207 | 45 | 2k+ | Text Domain Mismatch | ||
| #489 | YOURLS Link Creator | 37 | 196 | 39 | 500 | Text Domain Mismatch | ||
| #490 | Zendesk Chat | 37 | 44 | 67 | 10k+ | Output is not escaped | ||
| #491 | Add Customer for WooCommerce | 38 | 229 | 153 | 1k+ | Text Domain Mismatch | ||
| #492 | Admin Tools | 38 | 189 | 10 | 3k+ | Unsafe printing function | ||
| #493 | AdRoll for WooCommerce Stores | 38 | 40 | 25 | 600 | Output is not escaped | ||
| #494 | Advanced Sermons | 38 | 833 | 184 | 1k+ | Unsafe printing function | ||
| #495 | Any Mobile Theme Switcher | 38 | 69 | 59 | 20k+ | Output is not escaped | ||
| #496 | Bot Block – Stop Spam Referrals in Google Analytics | 38 | 28 | 42 | 600 | Output is not escaped | ||
| #497 | Car Route Planner Plugin | 38 | 135 | 17 | 400 | Output is not escaped | ||
| #498 | CC Child Pages | 38 | 63 | 152 | 9k+ | Non-prefixed global variable | ||
| #499 | country-redirect | 38 | 58 | 19 | 400 | Text Domain Mismatch | ||
| #500 | One page checkout and layouts for woocommerce | 38 | 83 | 52 | 3k+ | Non-prefixed global variable |