PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing
Setting is missing a sanitization callback
A registered setting does not define a sanitization callback.
Why It Shows Up
Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.
Why It Matters
Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.
How to Fix
- Pass a `sanitize_callback` in the `register_setting()` arguments.
- Use built-in sanitizers for simple values and custom callbacks for structured settings.
- Validate allowed values and return a safe default when input is invalid.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #751 | ImageMagick Sharpen Resized Images | 54 | 22 | 6 | 1k+ | Output is not escaped | ||
| #752 | Post Editor Buttons Fork | 54 | 24 | 3 | 800 | Unsafe printing function | ||
| #753 | Resize images before upload | 54 | 19 | 5 | 1k+ | Output is not escaped | ||
| #754 | EMI Calculator | 54 | 28 | 12 | 700 | Output is not escaped | ||
| #755 | Yeloni Exit Popup | (Free) GDPR Compliance | 54 | 41 | 12 | 700 | Output is not escaped | ||
| #756 | DevVn Float Left Right Ads | 55 | 42 | 2 | 1k+ | Output is not escaped | ||
| #757 | Disable Feeds | 55 | 9 | 9 | 20k+ | Output is not escaped | ||
| #758 | Insert Pages | 55 | 52 | 30 | 40k+ | Output is not escaped | ||
| #759 | Quick Bulk Post & Page Creator | 55 | 43 | 1 | 2k+ | Text Domain Mismatch | ||
| #760 | Quick Bulk Term Taxonomy Creator | 55 | 37 | 2 | 400 | Text Domain Mismatch | ||
| #761 | Semrush Content Toolkit | 55 | 22 | 24 | 2k+ | Non-prefixed global variable | ||
| #762 | Trusona for WordPress | 55 | 8 | 34 | 500 | Non-prefixed function | ||
| #763 | reCAPTCHA for Ninja Forms | 56 | 21 | 9 | 600 | Output is not escaped | ||
| #764 | Posts Columns Manager | 56 | 47 | 2 | 800 | Output is not escaped | ||
| #765 | Require Featured Image | 56 | 20 | 6 | 3k+ | Output is not escaped | ||
| #766 | Review Stream | 56 | 41 | 42 | 400 | Non-prefixed global variable | ||
| #767 | USERCENTRICS CMP | 56 | 44 | 11 | 1k+ | Non Singular String Literal Domain | ||
| #768 | Video Dashboard | 56 | 33 | 1 | 600 | Output is not escaped | ||
| #769 | Blog Time | 57 | 38 | 6 | 600 | Output is not escaped | ||
| #770 | Known Agents – Track AI Bots and Crawlers, Block Scrapers, Analyze LLM Referral Traffic | 57 | 37 | 12 | 1k+ | Setting is missing a sanitization callback | ||
| #771 | Elementor Beta (Developer Edition) | 57 | 36 | 32 | 30k+ | Output is not escaped | ||
| #772 | Universal Google Analytics (GA3 and GA4) | 57 | 28 | 2 | 400 | Output is not escaped | ||
| #773 | WP Adsterra Dashboard | 57 | 22 | 21 | 400 | wp function not compatible with requires wp | ||
| #774 | WP Old Post Date Remover | 57 | 25 | 7 | 2k+ | Unsafe printing function | ||
| #775 | Zoho Billing – Embed Payment Form | 57 | 22 | 10 | 500 | Output is not escaped | ||
| #776 | WP Admin Category Search | 58 | 23 | 11 | 2k+ | Unsafe printing function | ||
| #777 | Admin Page Notes | 58 | 17 | 15 | 700 | Text Domain Mismatch | ||
| #778 | E-namad & Shamed Logo Manager | 58 | 26 | 2 | 2k+ | Output is not escaped | ||
| #779 | HAL | 58 | 106 | 24 | 500 | Text Domain Mismatch | ||
| #780 | REVIEWS.io for WooCommerce | 58 | 71 | 161 | 1k+ | Non-prefixed global variable | ||
| #781 | WebP Express Plus | 58 | 19 | 11 | 700 | Unsafe printing function | ||
| #782 | Chat Button & Custom ChatGPT-Powered Bot by GetButton.io | 58 | 26 | 8 | 20k+ | Non-prefixed function | ||
| #783 | Logo or Image Replace by mycore.global | 59 | 30 | 12 | 400 | Text Domain Mismatch | ||
| #784 | Scrollbar | 59 | 7 | 22 | 400 | Missing nonce verification | ||
| #785 | Simplelightbox | 59 | 32 | 4 | 1k+ | Output is not escaped | ||
| #786 | Subscribers – Free Web Push Notifications | 59 | 15 | 11 | 1k+ | Output is not escaped | ||
| #787 | Text Scroll Widget | 59 | 30 | 2 | 400 | Output is not escaped | ||
| #788 | Typebot | 59 | 17 | 9 | 3k+ | Output is not escaped | ||
| #789 | Hide Posts | 59 | 9 | 70 | 20k+ | Direct Query | ||
| #790 | Add Google re captcha in WordPress Forms | 59 | 16 | 16 | 500 | Output is not escaped | ||
| #791 | Admin Menu Groups | 60 | 26 | 10 | 800 | Output is not escaped | ||
| #792 | EPROLO-Dropshipping | 60 | 16 | 34 | 1k+ | Missing nonce verification | ||
| #793 | FancyBox for WordPress | 60 | 175 | 33 | 30k+ | Text Domain Mismatch | ||
| #794 | Freshchat | 60 | 16 | 10 | 1k+ | Output is not escaped | ||
| #795 | iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more | 60 | 405 | 271 | 200k+ | Text Domain Mismatch | ||
| #796 | Tabby Responsive Tabs | 60 | 16 | 5 | 10k+ | Output is not escaped | ||
| #797 | In-Post Ads | 61 | 27 | 10 | 600 | Text Domain Mismatch | ||
| #798 | Creative Commons | 61 | 103 | 17 | 700 | Text Domain Mismatch | ||
| #799 | Hotjar | 61 | 16 | 4 | 70k+ | Output is not escaped | ||
| #800 | jQuery Lightbox | 61 | 22 | 3 | 1k+ | Output is not escaped |