PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

Setting is missing a sanitization callback

A registered setting does not define a sanitization callback.

critical weight

Why It Shows Up

Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.

Why It Matters

Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.

How to Fix

  • Pass a `sanitize_callback` in the `register_setting()` arguments.
  • Use built-in sanitizers for simple values and custom callbacks for structured settings.
  • Validate allowed values and return a safe default when input is invalid.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#901Page Loader76943k+Missing Version
#902Custom Cursor For WP771071k+Setting is missing a sanitization callback
#903Disable Toolbar77631k+Output is not escaped
#904Floating Contact Button77631k+Output is not escaped
#905Gravity Forms Auto Placeholders7798700trademarked term
#906Ilmenite Cookie Consent776112k+Setting is missing a sanitization callback
#907Toggle wpautop774159k+trademarked term
#908WP Comment Notification772810400Missing Arg Domain
#909WP Upload Size776142k+Non-prefixed function
#910Floating Ads Bottom78912k+Setting is missing a sanitization callback
#911Uptime Monitoring for WordPress – My Website is Online78187500Text Domain Mismatch
#912PushCrew78100400Missing Arg Domain
#913Simple Universal Google Analytics781104k+Output is not escaped
#914Yandex Mail SMTP Server for WordPress781652k+Text Domain Mismatch
#915WP Simple Mail Sender782163k+Non Singular String Literal Domain
#916AIKO – AI Developer Lite791076k+error log error log
#917Chatra Live Chat + ChatBot + Cart Saver791113k+Output is not escaped
#918Global Site Tag Tracking791111k+Output is not escaped
#919Grabber for QQWorld Auto Save Images79173500Non Singular String Literal Domain
#920Flutterwave Payments79839600Non-prefixed global variable
#921Yandex Mail79164400Non Singular String Literal Domain
#922Custom Icons for Elementor8062510k+Non-prefixed global variable
#923Parallax Image80612k+Missing direct file access protection
#924Re-add text underline and justify8010250k+Output is not escaped
#925SteadFast API802238k+Non-prefixed global variable
#926Folder Excluder for AIO WP Migration81851k+Non-prefixed function
#927AWEOS Google Maps iframe load per click811173k+Text Domain Mismatch
#928Disable Post Revision81633k+Output is not escaped
#929JivoChat Live Chat – WP live chat plugin for WordPress81271320k+wp function not compatible with requires wp
#930Pagebar2811937900Non-prefixed global variable
#931Simple Site Map Page81914k+Output is not escaped
#932Siteimprove81623700Nonce verification recommended
#933Bulk Order Form for WooCommerce81898900Non-prefixed hook name
#934WP GIF Player – Play & Pause8164400Output is not escaped
#935Already Existing Tags8281500Setting is missing a sanitization callback
#936Clean Image Filenames826130k+Output is not escaped
#937CodePen Embed Block8283600Text Domain Mismatch
#938Search box on Navigation Menu82223500Text Domain Mismatch
#939Code Click to Copy83129700Non-prefixed function
#940Make Disable Admin Email Verification Prompt| Aims Infosoft831042k+Text Domain Mismatch
#941Easy Photography Portfolio8338332k+Missing direct file access protection
#942Append extensions on Pages8473800Missing direct file access protection
#943Crazy Egg841217k+wp function not compatible with requires wp
#944Events Calendar for Google841382k+Missing direct file access protection
#945Stape Conversion Tracking8423410k+Non Singular String Literal Domain
#946wpautop control84751k+trademarked term
#947DCO Comment Attachment85555k+Missing nonce verification
#948Genesis Easy Columns85812k+Missing direct file access protection
#949Consent Mode Banner8537400Missing Version
#950Pronamic Google Maps8524181k+Non-prefixed global variable