PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing
Setting is missing a sanitization callback
A registered setting does not define a sanitization callback.
Why It Shows Up
Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.
Why It Matters
Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.
How to Fix
- Pass a `sanitize_callback` in the `register_setting()` arguments.
- Use built-in sanitizers for simple values and custom callbacks for structured settings.
- Validate allowed values and return a safe default when input is invalid.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #701 | Easy Basic Authentication – Add basic auth to site or admin area | 46 | 14 | 28 | 600 | Input is not sanitized | ||
| #702 | Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator | 46 | 13 | 25 | 7k+ | Request data is not unslashed | ||
| #703 | N360 | Splash Screen | 46 | 32 | 13 | 500 | Output is not escaped | ||
| #704 | Ultimate FAQ Solution | 46 | 285 | 97 | 600 | Text Domain Mismatch | ||
| #705 | WEN Logo Slider | 46 | 6 | 46 | 1k+ | Non-prefixed global variable | ||
| #706 | Show IDs by Echo | 47 | 21 | 13 | 2k+ | Output is not escaped | ||
| #707 | Product Categories/Tags Bottom Description for WooCommerce | 47 | 60 | 23 | 3k+ | Text Domain Mismatch | ||
| #708 | XML Sitemap & Google News | 47 | 270 | 224 | 100k+ | Non-prefixed global variable | ||
| #709 | Add Polylang support for Customizer | 48 | 18 | 20 | 2k+ | Nonce verification recommended | ||
| #710 | Better Block Patterns | 48 | 77 | 11 | 1k+ | Missing direct file access protection | ||
| #711 | Disable Author Pages | 48 | 23 | 5 | 6k+ | Unsafe printing function | ||
| #712 | MWW Disclaimer Buttons | 48 | 21 | 16 | 400 | Output is not escaped | ||
| #713 | Simple Regenerate Slug | 48 | 18 | 6 | 400 | Unsafe printing function | ||
| #714 | Visual Website Optimizer | 48 | 86 | 4 | 5k+ | wp function not compatible with requires wp | ||
| #715 | WC Provincia Canton Distrito | 48 | 103 | 14 | 1k+ | Text Domain Mismatch | ||
| #716 | WP First Letter Avatar | 48 | 40 | 7 | 2k+ | Output is not escaped | ||
| #717 | Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode | 49 | 148 | 176 | 100k+ | Non-prefixed global variable | ||
| #718 | Dashboard quick links widget | 49 | 22 | 16 | 700 | Output is not escaped | ||
| #719 | GDPR Tools: comment ip removement | 49 | 18 | 13 | 2k+ | Unsafe printing function | ||
| #720 | FooSales – Point of Sale (POS) for WooCommerce | 49 | 92 | 190 | 700 | Non-prefixed global variable | ||
| #721 | Tag Pilot FREE – Google Tag Manager Integration for WooCommerce | 49 | 33 | 19 | 1k+ | Output is not escaped | ||
| #722 | Post/Page Specific Custom Code | 49 | 21 | 14 | 7k+ | Output is not escaped | ||
| #723 | WooBuilder | 49 | 20 | 17 | 700 | Output is not escaped | ||
| #724 | Auto Ping Booster Free | 50 | 18 | 21 | 900 | Setting is missing a sanitization callback | ||
| #725 | Bangla Fonts Collection | 50 | 47 | 3 | 400 | Text Domain Mismatch | ||
| #726 | Booster for WPForms | 50 | 79 | 45 | 700 | Text Domain Mismatch | ||
| #727 | BuddyPress Groups Extras | 50 | 30 | 51 | 400 | Missing direct file access protection | ||
| #728 | Disable Site | 50 | 26 | 3 | 4k+ | Output is not escaped | ||
| #729 | Meteo | 50 | 58 | 9 | 800 | Output is not escaped | ||
| #730 | Pago por Redsys | 50 | 44 | 59 | 700 | Text Domain Mismatch | ||
| #731 | Tiempo | 50 | 53 | 8 | 800 | Output is not escaped | ||
| #732 | Veeqo for WooCommerce | 50 | 30 | 17 | 700 | Missing direct file access protection | ||
| #733 | WP Hide Show Featured Image | 50 | 36 | 5 | 4k+ | Unsafe printing function | ||
| #734 | Bootstrap Modals | 51 | 43 | 8 | 1k+ | Output is not escaped | ||
| #735 | Gravatar Enhanced – Avatars, Profiles, and Privacy | 51 | 38 | 48 | 100k+ | Dynamic hook name | ||
| #736 | Insert Code by Angie Makes | 51 | 43 | 8 | 900 | Output is not escaped | ||
| #737 | WPFrom Email | 51 | 44 | 12 | 600 | Output is not escaped | ||
| #738 | Age Gate Lite | 52 | 28 | 3 | 2k+ | Output is not escaped | ||
| #739 | LeadBooster Chatbot by Pipedrive | 52 | 38 | 6 | 2k+ | Output is not escaped | ||
| #740 | Meta Generator and Version Info Remover | 52 | 20 | 28 | 10k+ | Non-prefixed function | ||
| #741 | Podium | 52 | 21 | 23 | 5k+ | Missing direct file access protection | ||
| #742 | ONTRApages | 53 | 16 | 27 | 1k+ | Output is not escaped | ||
| #743 | Shamor | 53 | 55 | 12 | 400 | wp function not compatible with requires wp | ||
| #744 | Morning for WooCommerce | 53 | 7 | 59 | 1k+ | Non-prefixed global variable | ||
| #745 | Widget Context | 53 | 14 | 20 | 40k+ | Non-prefixed hook name | ||
| #746 | Peadig's Twitter Feed: Embedded Timeline WordPress Plugin | 53 | 37 | 6 | 600 | Output is not escaped | ||
| #747 | Anant Addons for Elementor – Widgets, Templates & WooCommerce Builder | 54 | 29 | 207 | 700 | Non-prefixed global variable | ||
| #748 | Cyr-To-Lat | 54 | 16 | 48 | 300k+ | Dynamic hook name | ||
| #749 | Easy Font Resize | 54 | 33 | 6 | 700 | Setting is missing a sanitization callback | ||
| #750 | FireCask Like & Share Button | 54 | 32 | 6 | 400 | Output is not escaped |