PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing
Setting is missing a sanitization callback
A registered setting does not define a sanitization callback.
Why It Shows Up
Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.
Why It Matters
Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.
How to Fix
- Pass a `sanitize_callback` in the `register_setting()` arguments.
- Use built-in sanitizers for simple values and custom callbacks for structured settings.
- Validate allowed values and return a safe default when input is invalid.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #601 | Widget Menuizer | 40 | 44 | 26 | 600 | Missing Arg Domain | ||
| #602 | Simple Registration for WooCommerce | 40 | 27 | 55 | 4k+ | Missing nonce verification | ||
| #603 | Media Library Categories | 40 | 29 | 49 | 20k+ | Output is not escaped | ||
| #604 | WP Posts Carousel | 40 | 199 | 12 | 3k+ | Unsafe printing function | ||
| #605 | Social Share Buttons & Analytics Plugin – GetSocial.io | 40 | 97 | 25 | 2k+ | Output is not escaped | ||
| #606 | WPFront Notification Bar | 40 | 222 | 44 | 50k+ | Output is not escaped | ||
| #607 | Simple Counter | 41 | 60 | 12 | 1k+ | Unsafe printing function | ||
| #608 | Amazon Link Engine | 41 | 38 | 17 | 2k+ | Output is not escaped | ||
| #609 | ATP Call Now | 41 | 98 | 7 | 700 | Output is not escaped | ||
| #610 | Backend Designer | 41 | 50 | 11 | 1k+ | Output is not escaped | ||
| #611 | Book Now | 41 | 75 | 14 | 1k+ | Output is not escaped | ||
| #612 | Bulk Images to Posts | 41 | 55 | 5 | 1k+ | Unsafe printing function | ||
| #613 | Carbon Copy | 41 | 64 | 89 | 3k+ | Text Domain Mismatch | ||
| #614 | Čeština: zalomení řádků | 41 | 86 | 8 | 6k+ | Text Domain Mismatch | ||
| #615 | Checklist | 41 | 62 | 25 | 400 | Text Domain Mismatch | ||
| #616 | CloudGuard | 41 | 41 | 13 | 1k+ | Output is not escaped | ||
| #617 | Cookie Notice & Consent | 41 | 101 | 29 | 1k+ | Output is not escaped | ||
| #618 | DevVN Local Store | 41 | 84 | 28 | 1k+ | Unsafe printing function | ||
| #619 | Disable Everything | 41 | 90 | 16 | 30k+ | Output is not escaped | ||
| #620 | Disqus Conditional Load | 41 | 38 | 14 | 3k+ | Output is not escaped | ||
| #621 | DigitalOcean Spaces Sync | 41 | 80 | 8 | 500 | Text Domain Mismatch | ||
| #622 | GDPR tools: Cookie notice + privacy | 41 | 67 | 8 | 6k+ | Unsafe printing function | ||
| #623 | Duplicate Post Page Menu & Custom Post Type | 41 | 35 | 11 | 10k+ | Text Domain Mismatch | ||
| #624 | Embed Chessboard | 41 | 103 | 9 | 600 | Text Domain Mismatch | ||
| #625 | Featured Image Generator | 41 | 31 | 16 | 1k+ | Output is not escaped | ||
| #626 | (Simply) Guest Author Name | 41 | 35 | 36 | 2k+ | Output is not escaped | ||
| #627 | Import external attachments | 41 | 18 | 26 | 2k+ | Output is not escaped | ||
| #628 | Inpost Paczkomaty | 41 | 35 | 68 | 8k+ | Text Domain Mismatch | ||
| #629 | Ko-fi Button | 41 | 75 | 15 | 5k+ | Output is not escaped | ||
| #630 | Lazy Load XT | 41 | 87 | 7 | 600 | Non Singular String Literal Domain | ||
| #631 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe printing function | ||
| #632 | Live Chat & AI Chatbot – onWebChat | 41 | 30 | 85 | 700 | error log error log | ||
| #633 | Page Specific Menu Items | 41 | 78 | 19 | 2k+ | Output is not escaped | ||
| #634 | Post Cloner | 41 | 25 | 15 | 1k+ | Text Domain Mismatch | ||
| #635 | Powie's WHOIS Domain Check | 41 | 38 | 11 | 500 | Unsafe printing function | ||
| #636 | Preload LCP Image | 41 | 110 | 31 | 4k+ | Unsafe printing function | ||
| #637 | Quick View WooCommerce | 41 | 80 | 12 | 1k+ | Output is not escaped | ||
| #638 | ShinyStat Analytics | 41 | 88 | 25 | 1k+ | Output is not escaped | ||
| #639 | Simple Restrict | 41 | 34 | 12 | 1k+ | Output is not escaped | ||
| #640 | Smooth Scroll Up | 41 | 61 | 10 | 6k+ | Output is not escaped | ||
| #641 | Smoove connector for Elementor forms | 41 | 22 | 60 | 600 | Nonce verification recommended | ||
| #642 | Taxonomy Filter | 41 | 143 | 40 | 800 | Output is not escaped | ||
| #643 | Terms of Service & Privacy Policy Generator | 41 | 99 | 1 | 600 | Output is not escaped | ||
| #644 | Feedback Company | 41 | 63 | 36 | 800 | Output is not escaped | ||
| #645 | Unbloater | 41 | 57 | 18 | 5k+ | Output is not escaped | ||
| #646 | fancyBox 3 for WordPress | 41 | 72 | 11 | 1k+ | Output is not escaped | ||
| #647 | WaveSurfer-WP | 41 | 83 | 22 | 400 | Unsafe printing function | ||
| #648 | WC Multiple Email Recipients | 41 | 85 | 3 | 4k+ | Text Domain Mismatch | ||
| #649 | WP Media folders | 41 | 19 | 74 | 3k+ | Direct Query | ||
| #650 | Add to Cart Button Custom Text | 42 | 98 | 4 | 10k+ | Text Domain Mismatch |