PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing
Setting is missing a sanitization callback
A registered setting does not define a sanitization callback.
Why It Shows Up
Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.
Why It Matters
Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.
How to Fix
- Pass a `sanitize_callback` in the `register_setting()` arguments.
- Use built-in sanitizers for simple values and custom callbacks for structured settings.
- Validate allowed values and return a safe default when input is invalid.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #301 | Pastacode | 33 | 77 | 66 | 400 | Non-prefixed global variable | ||
| #302 | PeproDev WooCommerce Receipt Uploader | 33 | 325 | 49 | 1k+ | Non Singular String Literal Domain | ||
| #303 | Podcast Subscribe Buttons | 33 | 552 | 39 | 5k+ | Text Domain Mismatch | ||
| #304 | Review Slider for WooCommerce | 33 | 160 | 422 | 400 | Non-prefixed global variable | ||
| #305 | Reviews Plus | 33 | 223 | 378 | 1k+ | Non-prefixed function | ||
| #306 | Sessions | 33 | 196 | 103 | 900 | Output is not escaped | ||
| #307 | SMTP2GO for WordPress – Email Made Easy | 33 | 186 | 111 | 30k+ | Output is not escaped | ||
| #308 | Gravity Booster – Styles & Layouts for Gravity Forms | 33 | 277 | 87 | 40k+ | Missing Arg Domain | ||
| #309 | Testimonial Slider – Free Testimonials Slider Plugin | 33 | 91 | 50 | 800 | Request data is not unslashed | ||
| #310 | Textmetrics | 33 | 324 | 163 | 400 | Output is not escaped | ||
| #311 | CartBounty – Save and recover abandoned carts for WooCommerce | 33 | 370 | 399 | 10k+ | Output is not escaped | ||
| #312 | PDF Invoices Italian Add-on for WooCommerce | 33 | 325 | 200 | 5k+ | Non Singular String Literal Domain | ||
| #313 | WP MyLinks | 33 | 354 | 206 | 1k+ | Text Domain Mismatch | ||
| #314 | WPReplace内容字符替换插件 | 33 | 209 | 195 | 800 | Non Singular String Literal Domain | ||
| #315 | AFS Analytics | 34 | 194 | 98 | 600 | Text Domain Mismatch | ||
| #316 | Advanced Custom Fields: reCAPTCHA Field | 34 | 104 | 53 | 800 | Text Domain Mismatch | ||
| #317 | AGCA – Custom Dashboard & Login Page | 34 | 350 | 44 | 20k+ | Unsafe printing function | ||
| #318 | AyeCode Connect | 34 | 178 | 253 | 10k+ | Nonce verification recommended | ||
| #319 | Cache Master | 34 | 371 | 27 | 400 | Output is not escaped | ||
| #320 | CSS JS Manager, Async JavaScript, Defer Render Blocking CSS | 34 | 76 | 106 | 1k+ | Input is not validated | ||
| #321 | Dr. Flex | 34 | 83 | 51 | 1k+ | Output is not escaped | ||
| #322 | Essential Classy Addons for Elementor – 150+ Widgets, Templates & Performance Tools | 34 | 278 | 186 | 500 | Output is not escaped | ||
| #323 | APG Google Video Sitemap Feed | 34 | 96 | 45 | 800 | Output is not escaped | ||
| #324 | Lenix Leads Collector | 34 | 414 | 242 | 10k+ | Text Domain Mismatch | ||
| #325 | Media Vault | 34 | 115 | 150 | 800 | Output is not escaped | ||
| #326 | Meow Analytics (Google Analytics) | 34 | 80 | 54 | 500 | Output is not escaped | ||
| #327 | Meow Lightbox | 34 | 75 | 52 | 10k+ | Non Singular String Literal Domain | ||
| #328 | mowomo Social Share | 34 | 202 | 156 | 1k+ | Output is not escaped | ||
| #329 | One User Avatar | User Profile Picture | 34 | 68 | 190 | 100k+ | Non-prefixed global variable | ||
| #330 | MW Font Changer | 34 | 463 | 75 | 7k+ | Text Domain Mismatch | ||
| #331 | Shift8 CDN | 34 | 81 | 25 | 600 | Output is not escaped | ||
| #332 | Student Result or Employee Database | 34 | 89 | 98 | 1k+ | Direct Query | ||
| #333 | Testimonial Slider | 34 | 448 | 262 | 3k+ | Unsafe printing function | ||
| #334 | Ultimate 410 Gone Status Code | 34 | 136 | 65 | 7k+ | Output is not escaped | ||
| #335 | Useful Blocks | 34 | 214 | 22 | 20k+ | Output is not escaped | ||
| #336 | WP Custom Admin Interface | 34 | 263 | 118 | 30k+ | Unsafe printing function | ||
| #337 | WP LinkedIn Auto Publish | 34 | 165 | 56 | 8k+ | Output is not escaped | ||
| #338 | WP Notes Widget | 34 | 217 | 36 | 700 | Output is not escaped | ||
| #339 | WP Random Post Thumbnails | 34 | 420 | 26 | 1k+ | Text Domain Mismatch | ||
| #340 | WP SendFox | 34 | 296 | 118 | 1k+ | Text Domain Mismatch | ||
| #341 | Amministrazione Trasparente | 35 | 80 | 46 | 1k+ | Output is not escaped | ||
| #342 | Antideo Email Validator | 35 | 38 | 98 | 800 | Missing nonce verification | ||
| #343 | Aquila Admin Theme | 35 | 151 | 329 | 3k+ | Non-prefixed global variable | ||
| #344 | Awin – Advertiser Tracking for WooCommerce | 35 | 46 | 39 | 1k+ | Non Singular String Literal Domain | ||
| #345 | AXP Cyrillic to Latin | 35 | 21 | 3 | 1k+ | Output is not escaped | ||
| #346 | Basic Google Maps Placemarks | 35 | 189 | 80 | 3k+ | Output is not escaped | ||
| #347 | Before After Image Comparison Slider for WPBakery Page Builder | 35 | 58 | 59 | 1k+ | Output is not escaped | ||
| #348 | belingoGeo | 35 | 136 | 133 | 1k+ | Output is not escaped | ||
| #349 | Tooltipy (tooltips for WP) | 35 | 370 | 125 | 1k+ | Text Domain Mismatch | ||
| #350 | Wbcom Designs – BuddyPress Activity Social Share | 35 | 293 | 27 | 500 | Text Domain Mismatch |
