PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

Setting is missing a sanitization callback

A registered setting does not define a sanitization callback.

critical weight

Why It Shows Up

Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.

Why It Matters

Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.

How to Fix

  • Pass a `sanitize_callback` in the `register_setting()` arguments.
  • Use built-in sanitizers for simple values and custom callbacks for structured settings.
  • Validate allowed values and return a safe default when input is invalid.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#701Easy Basic Authentication – Add basic auth to site or admin area461428600Input is not sanitized
#702Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator4613257k+Request data is not unslashed
#703N360 | Splash Screen463213500Output is not escaped
#704Ultimate FAQ Solution4628597600Text Domain Mismatch
#705WEN Logo Slider466461k+Non-prefixed global variable
#706Show IDs by Echo4721132k+Output is not escaped
#707Product Categories/Tags Bottom Description for WooCommerce4760233k+Text Domain Mismatch
#708XML Sitemap & Google News47270224100k+Non-prefixed global variable
#709Add Polylang support for Customizer4818202k+Nonce verification recommended
#710Better Block Patterns4877111k+Missing direct file access protection
#711Disable Author Pages482356k+Unsafe printing function
#712MWW Disclaimer Buttons482116400Output is not escaped
#713Simple Regenerate Slug48186400Unsafe printing function
#714Visual Website Optimizer488645k+wp function not compatible with requires wp
#715WC Provincia Canton Distrito48103141k+Text Domain Mismatch
#716WP First Letter Avatar484072k+Output is not escaped
#717Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode49148176100k+Non-prefixed global variable
#718Dashboard quick links widget492216700Output is not escaped
#719GDPR Tools: comment ip removement4918132k+Unsafe printing function
#720FooSales – Point of Sale (POS) for WooCommerce4992190700Non-prefixed global variable
#721Tag Pilot FREE – Google Tag Manager Integration for WooCommerce4933191k+Output is not escaped
#722Post/Page Specific Custom Code4921147k+Output is not escaped
#723WooBuilder492017700Output is not escaped
#724Auto Ping Booster Free501821900Setting is missing a sanitization callback
#725Bangla Fonts Collection50473400Text Domain Mismatch
#726Booster for WPForms507945700Text Domain Mismatch
#727BuddyPress Groups Extras503051400Missing direct file access protection
#728Disable Site502634k+Output is not escaped
#729Meteo50589800Output is not escaped
#730Pago por Redsys504459700Text Domain Mismatch
#731Tiempo50538800Output is not escaped
#732Veeqo for WooCommerce503017700Missing direct file access protection
#733WP Hide Show Featured Image503654k+Unsafe printing function
#734Bootstrap Modals514381k+Output is not escaped
#735Gravatar Enhanced – Avatars, Profiles, and Privacy513848100k+Dynamic hook name
#736Insert Code by Angie Makes51438900Output is not escaped
#737WPFrom Email514412600Output is not escaped
#738Age Gate Lite522832k+Output is not escaped
#739LeadBooster Chatbot by Pipedrive523862k+Output is not escaped
#740Meta Generator and Version Info Remover52202810k+Non-prefixed function
#741Podium5221235k+Missing direct file access protection
#742ONTRApages5316271k+Output is not escaped
#743Shamor535512400wp function not compatible with requires wp
#744Morning for WooCommerce537591k+Non-prefixed global variable
#745Widget Context53142040k+Non-prefixed hook name
#746Peadig's Twitter Feed: Embedded Timeline WordPress Plugin53376600Output is not escaped
#747Anant Addons for Elementor – Widgets, Templates & WooCommerce Builder5429207700Non-prefixed global variable
#748Cyr-To-Lat541648300k+Dynamic hook name
#749Easy Font Resize54336700Setting is missing a sanitization callback
#750FireCask Like & Share Button54326400Output is not escaped