PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

Setting is missing a sanitization callback

A registered setting does not define a sanitization callback.

critical weight

Why It Shows Up

Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.

Why It Matters

Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.

How to Fix

  • Pass a `sanitize_callback` in the `register_setting()` arguments.
  • Use built-in sanitizers for simple values and custom callbacks for structured settings.
  • Validate allowed values and return a safe default when input is invalid.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#751ImageMagick Sharpen Resized Images542261k+Output is not escaped
#752Post Editor Buttons Fork54243800Unsafe printing function
#753Resize images before upload541951k+Output is not escaped
#754EMI Calculator542812700Output is not escaped
#755Yeloni Exit Popup | (Free) GDPR Compliance544112700Output is not escaped
#756DevVn Float Left Right Ads554221k+Output is not escaped
#757Disable Feeds559920k+Output is not escaped
#758Insert Pages55523040k+Output is not escaped
#759Quick Bulk Post & Page Creator554312k+Text Domain Mismatch
#760Quick Bulk Term Taxonomy Creator55372400Text Domain Mismatch
#761Semrush Content Toolkit5522242k+Non-prefixed global variable
#762Trusona for WordPress55834500Non-prefixed function
#763reCAPTCHA for Ninja Forms56219600Output is not escaped
#764Posts Columns Manager56472800Output is not escaped
#765Require Featured Image562063k+Output is not escaped
#766Review Stream564142400Non-prefixed global variable
#767USERCENTRICS CMP5644111k+Non Singular String Literal Domain
#768Video Dashboard56331600Output is not escaped
#769Blog Time57386600Output is not escaped
#770Known Agents – Track AI Bots and Crawlers, Block Scrapers, Analyze LLM Referral Traffic5737121k+Setting is missing a sanitization callback
#771Elementor Beta (Developer Edition)57363230k+Output is not escaped
#772Universal Google Analytics (GA3 and GA4)57282400Output is not escaped
#773WP Adsterra Dashboard572221400wp function not compatible with requires wp
#774WP Old Post Date Remover572572k+Unsafe printing function
#775Zoho Billing – Embed Payment Form572210500Output is not escaped
#776WP Admin Category Search5823112k+Unsafe printing function
#777Admin Page Notes581715700Text Domain Mismatch
#778E-namad & Shamed Logo Manager582622k+Output is not escaped
#779HAL5810624500Text Domain Mismatch
#780REVIEWS.io for WooCommerce58711611k+Non-prefixed global variable
#781WebP Express Plus581911700Unsafe printing function
#782Chat Button & Custom ChatGPT-Powered Bot by GetButton.io5826820k+Non-prefixed function
#783Logo or Image Replace by mycore.global593012400Text Domain Mismatch
#784Scrollbar59722400Missing nonce verification
#785Simplelightbox593241k+Output is not escaped
#786Subscribers – Free Web Push Notifications5915111k+Output is not escaped
#787Text Scroll Widget59302400Output is not escaped
#788Typebot591793k+Output is not escaped
#789Hide Posts5997020k+Direct Query
#790Add Google re captcha in WordPress Forms591616500Output is not escaped
#791Admin Menu Groups602610800Output is not escaped
#792EPROLO-Dropshipping6016341k+Missing nonce verification
#793FancyBox for WordPress601753330k+Text Domain Mismatch
#794Freshchat6016101k+Output is not escaped
#795iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more60405271200k+Text Domain Mismatch
#796Tabby Responsive Tabs6016510k+Output is not escaped
#797In-Post Ads612710600Text Domain Mismatch
#798Creative Commons6110317700Text Domain Mismatch
#799Hotjar6116470k+Output is not escaped
#800jQuery Lightbox612231k+Output is not escaped