PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing
Setting is missing a sanitization callback
A registered setting does not define a sanitization callback.
Why It Shows Up
Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.
Why It Matters
Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.
How to Fix
- Pass a `sanitize_callback` in the `register_setting()` arguments.
- Use built-in sanitizers for simple values and custom callbacks for structured settings.
- Validate allowed values and return a safe default when input is invalid.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #501 | Elemailer Lite – Elementor email template & campaign builder | 38 | 44 | 50 | 5k+ | Output is not escaped | ||
| #502 | PiWeb Product Enquiry or product catalog for WooCommerce | 38 | 255 | 145 | 1k+ | Text Domain Mismatch | ||
| #503 | Flexy Breadcrumb | 38 | 241 | 13 | 20k+ | Output is not escaped | ||
| #504 | CAOS | Host Google Analytics Locally | 38 | 124 | 44 | 10k+ | Output is not escaped | ||
| #505 | Lana Downloads Manager | 38 | 146 | 78 | 3k+ | Unsafe printing function | ||
| #506 | MimeTypes Link Icons | 38 | 53 | 34 | 8k+ | Output is not escaped | ||
| #507 | Podlove Subscribe button | 38 | 148 | 45 | 2k+ | Output is not escaped | ||
| #508 | Polaroid Gallery | 38 | 105 | 20 | 1k+ | Unsafe printing function | ||
| #509 | Like This | 38 | 60 | 17 | 1k+ | Output is not escaped | ||
| #510 | RSS Feed Widget | 38 | 207 | 89 | 2k+ | Unsafe printing function | ||
| #511 | SimpleShop | 38 | 52 | 51 | 1k+ | date date | ||
| #512 | VdoCipher: Secure Video Player and Hosting | 38 | 37 | 54 | 2k+ | Non-prefixed function | ||
| #513 | TWIPLA (Visitor Analytics IO) – Privacy-First Website Stats, Session Recordings, Heatmaps, Polls and Surveys | 38 | 71 | 49 | 900 | Output is not escaped | ||
| #514 | Vietnam Checkout for WooCommerce | 38 | 93 | 137 | 10k+ | Nonce verification recommended | ||
| #515 | WP Hebrew Date | 38 | 102 | 13 | 600 | Output is not escaped | ||
| #516 | WP Client Reports | 38 | 95 | 80 | 6k+ | Unsafe printing function | ||
| #517 | WP Discord Post Plus – Supports Unlimited Channels | 38 | 116 | 34 | 700 | Text Domain Mismatch | ||
| #518 | WP Maintenance Mode & Site Under Construction | 38 | 72 | 57 | 3k+ | Output is not escaped | ||
| #519 | mb.miniAudioPlayer – an HTML5 audio player for your mp3 files | 38 | 204 | 6 | 4k+ | Unsafe printing function | ||
| #520 | External Store for Shopify | 38 | 97 | 33 | 2k+ | Output is not escaped | ||
| #521 | mb.YTPlayer for background videos | 38 | 80 | 29 | 1k+ | Unsafe printing function | ||
| #522 | ZeroBounce Email Verification & Validation | 38 | 299 | 162 | 1k+ | Text Domain Mismatch | ||
| #523 | Accounting for WooCommerce | 39 | 87 | 115 | 500 | Unsafe printing function | ||
| #524 | ACF: Google Font Selector | 39 | 57 | 45 | 3k+ | Output is not escaped | ||
| #525 | ACF Recent Posts Widget | 39 | 260 | 16 | 500 | Output is not escaped | ||
| #526 | Advanced Woo Labels – Product Labels & Badges for WooCommerce | 39 | 173 | 125 | 10k+ | Output is not escaped | ||
| #527 | Archive Control | 39 | 151 | 67 | 1k+ | Unsafe printing function | ||
| #528 | bbPress Voting | 39 | 27 | 53 | 500 | Output is not escaped | ||
| #529 | bbPress Moderation | 39 | 75 | 15 | 500 | Non Singular String Literal Domain | ||
| #530 | Better User Search | 39 | 24 | 44 | 700 | SQL query is not prepared | ||
| #531 | Blogger Importer Extended | 39 | 55 | 45 | 4k+ | Output is not escaped | ||
| #532 | Cache Images | 39 | 72 | 27 | 1k+ | Unsafe printing function | ||
| #533 | Calculator Builder – Create an Online Calculator | 39 | 16 | 221 | 1k+ | Non-prefixed global variable | ||
| #534 | Innozilla Skins for Contact Form 7 | 39 | 152 | 22 | 2k+ | Output is not escaped | ||
| #535 | Contact Form 7 – Dynamic Text Extension | 39 | 103 | 28 | 100k+ | Output is not escaped | ||
| #536 | Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR) | 39 | 28 | 45 | 80k+ | Missing nonce verification | ||
| #537 | Dublin Core Metadata Generator | 39 | 74 | 15 | 900 | Output is not escaped | ||
| #538 | WeShareAI – AI-Powered Share Buttons (formerly E-MAILiT) | 39 | 165 | 24 | 700 | Unsafe printing function | ||
| #539 | Editor Menu and Widget Access | 39 | 81 | 24 | 7k+ | Output is not escaped | ||
| #540 | Enhanced Admin Bar with Codex Search | 39 | 64 | 3 | 1k+ | Missing Arg Domain | ||
| #541 | FaniMani.pl | 39 | 103 | 11 | 600 | Output is not escaped | ||
| #542 | Flamix: Bitrix24 and WooCommerce Orders integration | 39 | 81 | 31 | 500 | Output is not escaped | ||
| #543 | GDPRess | Eliminate external requests to increase GDPR compliance | 39 | 60 | 26 | 1k+ | Output is not escaped | ||
| #544 | Google Calendar Widget | 39 | 82 | 11 | 700 | Output is not escaped | ||
| #545 | Insert Amz Images | 39 | 79 | 44 | 1k+ | Output is not escaped | ||
| #546 | Media Sync | 39 | 193 | 7 | 50k+ | Short PHP open tag found | ||
| #547 | OneSignal Sender | 39 | 112 | 50 | 400 | Output is not escaped | ||
| #548 | Responsify WP | 39 | 90 | 11 | 600 | Unsafe printing function | ||
| #549 | Rollbar | 39 | 75 | 14 | 400 | Output is not escaped | ||
| #550 | Scripts n Styles | 39 | 150 | 92 | 30k+ | Output is not escaped |