PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing
Setting is missing a sanitization callback
A registered setting does not define a sanitization callback.
Why It Shows Up
Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.
Why It Matters
Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.
How to Fix
- Pass a `sanitize_callback` in the `register_setting()` arguments.
- Use built-in sanitizers for simple values and custom callbacks for structured settings.
- Validate allowed values and return a safe default when input is invalid.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #251 | User Avatar – Reloaded | 30 | 352 | 171 | 900 | Text Domain Mismatch | ||
| #252 | Waitlist Woocommerce ( Back in stock notifier ) | 30 | 272 | 311 | 4k+ | Output is not escaped | ||
| #253 | Dropify | 30 | 130 | 252 | 2k+ | Nonce verification recommended | ||
| #254 | Webling | 30 | 147 | 313 | 500 | Input is not validated | ||
| #255 | remarketable | 30 | 281 | 93 | 600 | Output is not escaped | ||
| #256 | WP Inventory Manager | 30 | 856 | 233 | 1k+ | Output is not escaped | ||
| #257 | WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA | 30 | 484 | 222 | 2k+ | Unsafe printing function | ||
| #258 | Advanced Woo Search – Product Search for WooCommerce | 31 | 228 | 377 | 70k+ | Nonce verification recommended | ||
| #259 | All-in-one contact buttons – WPSHARE247 | 31 | 108 | 113 | 4k+ | Non-prefixed global variable | ||
| #260 | Co-marquage service-public.fr | 31 | 84 | 213 | 1k+ | Non-prefixed global variable | ||
| #261 | g-FFL Checkout | 31 | 249 | 300 | 600 | Request data is not unslashed | ||
| #262 | OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. | 31 | 213 | 62 | 300k+ | Output is not escaped | ||
| #263 | My Private Site | 31 | 425 | 190 | 20k+ | Text Domain Mismatch | ||
| #264 | Keywords to Links Converter | 31 | 288 | 144 | 700 | Text Domain Mismatch | ||
| #265 | Patreon WordPress | 31 | 276 | 339 | 3k+ | Output is not escaped | ||
| #266 | Qode Essential Addons | 31 | 55 | 295 | 10k+ | Non-prefixed global variable | ||
| #267 | Raffle Play Woocommerce | 31 | 151 | 199 | 800 | Output is not escaped | ||
| #268 | Simple calendar for Elementor | 31 | 125 | 270 | 500 | Direct Query | ||
| #269 | Discussion Board – WordPress Forum Plugin | 31 | 105 | 153 | 2k+ | Request data is not unslashed | ||
| #270 | WPDoctor Malware Scanner & Vulnerability Checker & IP blocker with Hack monitor Lite | 31 | 133 | 438 | 600 | Non-prefixed global variable | ||
| #271 | ActiveDEMAND | 32 | 157 | 161 | 1k+ | Output is not escaped | ||
| #272 | APCu Manager | 32 | 151 | 126 | 10k+ | Output is not escaped | ||
| #273 | BuddyPress for LearnDash | 32 | 190 | 284 | 1k+ | Output is not escaped | ||
| #274 | Contact Form Block | 32 | 64 | 77 | 500 | Non Singular String Literal Domain | ||
| #275 | Cooked – Recipe Management | 32 | 462 | 275 | 3k+ | Output is not escaped | ||
| #276 | Enter Addons – Ultimate Template Builder for Elementor | 32 | 82 | 72 | 1k+ | Output is not escaped | ||
| #277 | Gallery Box | 32 | 395 | 43 | 1k+ | Text Domain Mismatch | ||
| #278 | HTML5 jQuery Audio Player | 32 | 251 | 153 | 1k+ | Unsafe printing function | ||
| #279 | DEPRECATED – Shipmondo – A complete shipping solution for WooCommerce | 32 | 166 | 119 | 5k+ | Output is not escaped | ||
| #280 | Showcase IDX Real Estate Search & Lead Capture | 32 | 123 | 52 | 2k+ | Output is not escaped | ||
| #281 | Spoki – Chat Buttons and WooCommerce Notifications | 32 | 1,074 | 260 | 700 | Unsafe printing function | ||
| #282 | TK Google Fonts GDPR Compliant | 32 | 582 | 34 | 1k+ | Output is not escaped | ||
| #283 | WooMS | 32 | 199 | 58 | 500 | Output is not escaped | ||
| #284 | WP Popup | 32 | 539 | 65 | 1k+ | Text Domain Mismatch | ||
| #285 | WPCasa – Real Estate for WordPress | 32 | 85 | 429 | 1k+ | Non-prefixed global variable | ||
| #286 | Dynamic XML Sitemaps Generator for Google | 32 | 74 | 411 | 20k+ | Non-prefixed global variable | ||
| #287 | Advanced Custom Fields: Typography Field | 33 | 445 | 57 | 4k+ | Text Domain Mismatch | ||
| #288 | Arconix Shortcodes | 33 | 129 | 107 | 4k+ | Output is not escaped | ||
| #289 | Contact List – Online Staff Directory & Address Book | 33 | 118 | 342 | 1k+ | Nonce verification recommended | ||
| #290 | Chatbot with IBM watsonx Assistant | 33 | 324 | 83 | 400 | Non Singular String Literal Domain | ||
| #291 | Countdown Timer | 33 | 311 | 17 | 900 | Text Domain Mismatch | ||
| #292 | Device Detector | 33 | 209 | 112 | 600 | Output is not escaped | ||
| #293 | DJ-Accessibility – Accessibility Plugin | 33 | 370 | 48 | 3k+ | Text Domain Mismatch | ||
| #294 | Login & Register Customizer – Popup | Slider | Inline | WooCommerce | 33 | 265 | 230 | 40k+ | Output is not escaped | ||
| #295 | EchBay Phonering Alo | 33 | 74 | 47 | 1k+ | Output is not escaped | ||
| #296 | Gallery Custom Links | 33 | 64 | 62 | 30k+ | Non Singular String Literal Domain | ||
| #297 | Geliver Akıllı Kargo Pazaryeri | 33 | 46 | 248 | 400 | Non-prefixed global variable | ||
| #298 | Janolaw AGB Hosting | 33 | 198 | 11 | 1k+ | Short PHP open tag found | ||
| #299 | Merge + Minify + Refresh | 33 | 78 | 26 | 4k+ | date date | ||
| #300 | Offen | 33 | 313 | 115 | 500 | Output is not escaped |
