PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing
Setting is missing a sanitization callback
A registered setting does not define a sanitization callback.
Why It Shows Up
Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.
Why It Matters
Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.
How to Fix
- Pass a `sanitize_callback` in the `register_setting()` arguments.
- Use built-in sanitizers for simple values and custom callbacks for structured settings.
- Validate allowed values and return a safe default when input is invalid.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #201 | Premmerce SEO for WooCommerce | 26 | 550 | 1,285 | 1k+ | Non-prefixed global variable | ||
| #202 | Accordions – Responsive Accordion & FAQ Plugin for WordPress | 27 | 554 | 158 | 1k+ | Text Domain Mismatch | ||
| #203 | Arconix FAQ | 27 | 552 | 201 | 6k+ | Text Domain Mismatch | ||
| #204 | Comment Link Remove and Other Comment Tools | 27 | 691 | 132 | 7k+ | Text Domain Mismatch | ||
| #205 | Contact Form Generator : Creative form builder for WordPress | 27 | 1,076 | 1,510 | 800 | Output is not escaped | ||
| #206 | Foxtool All-in-One: Contact chat button, Custom login, Media optimize images | 27 | 1,629 | 360 | 7k+ | Unsafe printing function | ||
| #207 | GSpeech TTS – WordPress Text To Speech Plugin | 27 | 842 | 332 | 3k+ | Output is not escaped | ||
| #208 | ImageRecycle pdf & image compression | 27 | 329 | 204 | 1k+ | Text Domain Mismatch | ||
| #209 | iQ Block Country | 27 | 164 | 245 | 20k+ | Request data is not unslashed | ||
| #210 | OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) | 27 | 271 | 568 | 6k+ | Request data is not unslashed | ||
| #211 | Simple Download Monitor | 27 | 218 | 273 | 20k+ | Output is not escaped | ||
| #212 | Hubbub Lite – Fast, free social sharing and follow buttons | 27 | 337 | 172 | 30k+ | Text Domain Mismatch | ||
| #213 | Verge3D Publishing and E-Commerce | 27 | 245 | 298 | 400 | Nonce verification recommended | ||
| #214 | WC Booster | 27 | 191 | 282 | 800 | Non-prefixed global variable | ||
| #215 | Wiremo – Product Reviews for WooCommerce | 27 | 445 | 212 | 700 | Output is not escaped | ||
| #216 | Email Marketing Plugin – WP Email Capture | 27 | 383 | 262 | 1k+ | Output is not escaped | ||
| #217 | WP Events Manager | 27 | 294 | 415 | 30k+ | Output is not escaped | ||
| #218 | WP Chat App | 27 | 120 | 274 | 100k+ | Alternative PHP tag found | ||
| #219 | WPBase Cache | 27 | 189 | 113 | 2k+ | Text Domain Mismatch | ||
| #220 | Ultimate Addons for SiteOrigin | 28 | 525 | 189 | 7k+ | Text Domain Mismatch | ||
| #221 | BNE Testimonials | 28 | 522 | 102 | 1k+ | Output is not escaped | ||
| #222 | Code Engine – PHP Snippets, AI Functions & Automation for WordPress | 28 | 124 | 101 | 700 | Non Singular String Literal Domain | ||
| #223 | Darklup – Enhanced WordPress Dark Mode, Dark Theme, Night Mode & Accessibility Plugin | 28 | 639 | 85 | 1k+ | Text Domain Mismatch | ||
| #224 | IdeaPush | 28 | 283 | 298 | 800 | Output is not escaped | ||
| #225 | Laposta Signup Basic | 28 | 275 | 66 | 2k+ | Output is not escaped | ||
| #226 | Opal Service | 28 | 339 | 329 | 900 | Non-prefixed global variable | ||
| #227 | PushAlert – Web Push Notifications for WordPress and WooCommerce | 28 | 196 | 63 | 1k+ | curl curl setopt | ||
| #228 | Themesflat Addons For Elementor | 28 | 714 | 227 | 40k+ | Output is not escaped | ||
| #229 | WC Fields Factory | 28 | 194 | 369 | 7k+ | Nonce verification recommended | ||
| #230 | WP ADA Compliance Check Basic | 28 | 785 | 177 | 3k+ | Text Domain Mismatch | ||
| #231 | WP GoToWebinar | 28 | 207 | 207 | 700 | Non-prefixed function | ||
| #232 | WP YouTube Lyte | 28 | 204 | 178 | 30k+ | Non-prefixed global variable | ||
| #233 | WPS Bidouille | 28 | 472 | 215 | 10k+ | Output is not escaped | ||
| #234 | Bitcoin Payments – Blockonomics | 29 | 208 | 227 | 3k+ | Output is not escaped | ||
| #235 | Database Cleaner | 29 | 135 | 297 | 10k+ | Direct Query | ||
| #236 | Interactive Image Map Plugin – Draw Attention | 29 | 620 | 227 | 20k+ | Output is not escaped | ||
| #237 | Responder | 29 | 77 | 185 | 3k+ | Non-prefixed global variable | ||
| #238 | Social Engine | 29 | 133 | 90 | 600 | Exception output is not escaped | ||
| #239 | ApplyOnline – Application Form Builder and Manager | 30 | 354 | 260 | 2k+ | Output is not escaped | ||
| #240 | Private groups | 30 | 583 | 316 | 1k+ | Unsafe printing function | ||
| #241 | Easy Custom Auto Excerpt | 30 | 84 | 166 | 6k+ | Non-prefixed global variable | ||
| #242 | Event post | 30 | 355 | 100 | 1k+ | Output is not escaped | ||
| #243 | PiWeb Export Customers Users & Guest customer to CSV for WooCommerce | 30 | 173 | 75 | 1k+ | Text Domain Mismatch | ||
| #244 | Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant | 30 | 264 | 221 | 4k+ | Non Singular String Literal Text | ||
| #245 | Laposta Signup Embed | 30 | 88 | 19 | 1k+ | Exception output is not escaped | ||
| #246 | Meow Gallery | 30 | 111 | 182 | 10k+ | Direct Query | ||
| #247 | Realbig For WordPress | 30 | 36 | 591 | 1k+ | Non-prefixed global variable | ||
| #248 | Rublon Multi-Factor Authentication (MFA) | 30 | 216 | 160 | 500 | Output is not escaped | ||
| #249 | Sina Extension for Elementor | 30 | 3,701 | 160 | 40k+ | Text Domain Mismatch | ||
| #250 | Star Addons for Elementor | 30 | 236 | 255 | 1k+ | Non-prefixed global variable |
