PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing
Setting is missing a sanitization callback
A registered setting does not define a sanitization callback.
Why It Shows Up
Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.
Why It Matters
Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.
How to Fix
- Pass a `sanitize_callback` in the `register_setting()` arguments.
- Use built-in sanitizers for simple values and custom callbacks for structured settings.
- Validate allowed values and return a safe default when input is invalid.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #351 | Business Hours Indicator | 35 | 139 | 106 | 8k+ | Alternative PHP tag found | ||
| #352 | CHP Ads Block Detector | 35 | 109 | 35 | 900 | Output is not escaped | ||
| #353 | Wbcom Designs – Custom Font Uploader | 35 | 340 | 123 | 3k+ | Text Domain Mismatch | ||
| #354 | Custom Post Type Permalinks | 35 | 8 | 4 | 200k+ | Setting is missing a sanitization callback | ||
| #355 | DarkLooks – Dark Mode Switcher For WordPress | 35 | 195 | 21 | 900 | Text Domain Mismatch | ||
| #356 | PiWeb Disable payment method / Partial payment for WooCommerce | 35 | 55 | 221 | 4k+ | Non-prefixed class | ||
| #357 | DOOFINDER Search and Discovery for WP & WooCommerce | 35 | 151 | 120 | 3k+ | Text Domain Mismatch | ||
| #358 | Easy Dash for LearnDash | 35 | 623 | 88 | 800 | Text Domain Mismatch | ||
| #359 | Easy Panorama | 35 | 120 | 10 | 500 | Non Singular String Literal Domain | ||
| #360 | Easy Social Icons | 35 | 182 | 158 | 20k+ | Output is not escaped | ||
| #361 | Easy SwipeBox | 35 | 157 | 10 | 2k+ | Non Singular String Literal Domain | ||
| #362 | Embed Privacy | 35 | 10 | 41 | 10k+ | slow db query meta key | ||
| #363 | Equivalent Mobile Redirect | 35 | 29 | 17 | 2k+ | Text Domain Mismatch | ||
| #364 | EWWW Image Optimizer | 35 | 225 | 729 | 1m+ | Direct Query | ||
| #365 | Export Featured Images | 35 | 176 | 67 | 1k+ | Output is not escaped | ||
| #366 | Events Calendar by FooEvents | 35 | 56 | 59 | 4k+ | Non-prefixed global variable | ||
| #367 | Friendly Captcha for WordPress | 35 | 192 | 62 | 9k+ | Output is not escaped | ||
| #368 | GDPR Compliance & Cookie Consent | 35 | 251 | 61 | 4k+ | Output is not escaped | ||
| #369 | Get a Newsletter | 35 | 138 | 144 | 400 | Output is not escaped | ||
| #370 | Gumlet – Image optimization with Resize, Compression, Lazy load, Caching & CDN delivery | 35 | 53 | 45 | 500 | parse url parse url | ||
| #371 | Ultimate Addons for Elementor | 35 | 70 | 226 | 2m+ | Non-prefixed hook name | ||
| #372 | Highlighting Code Block | 35 | 30 | 3 | 10k+ | Output is not escaped | ||
| #373 | Nobs • Share Buttons | 35 | 314 | 85 | 3k+ | Output is not escaped | ||
| #374 | Kiyoh customer review | 35 | 173 | 68 | 500 | Output is not escaped | ||
| #375 | Topic Progression Using Storyline/Captivate for LearnDash | 35 | 382 | 25 | 400 | Text Domain Mismatch | ||
| #376 | Login Page Styler – Custom WordPress Login Page Customizer & Security | 35 | 125 | 168 | 2k+ | Missing Arg Domain | ||
| #377 | Log in with Google | 35 | 5 | 17 | 6k+ | Non-prefixed global variable | ||
| #378 | Mechanic Visitor Counter | 35 | 240 | 66 | 8k+ | Output is not escaped | ||
| #379 | Mini Cart for WooCommerce – Add a Stylish Sliding Cart | 35 | 42 | 160 | 600 | Non-prefixed global variable | ||
| #380 | Modern Images WP | 35 | 10 | 3 | 400 | Missing Translators Comment | ||
| #381 | Nooz | 35 | 287 | 108 | 500 | Text Domain Mismatch | ||
| #382 | Fonts Plugin | Google Fonts, Adobe Fonts & Upload Fonts | 35 | 41 | 8 | 200k+ | Missing direct file access protection | ||
| #383 | OPcache Manager | 35 | 155 | 75 | 1k+ | Output is not escaped | ||
| #384 | Order Delivery Date for WooCommerce | 35 | 2,060 | 73 | 10k+ | wp function not compatible with requires wp | ||
| #385 | PiWeb Delivery & Pickup Date Time for WooCommerce | 35 | 377 | 163 | 500 | Text Domain Mismatch | ||
| #386 | Planyo online reservation system | 35 | 64 | 90 | 400 | Output is not escaped | ||
| #387 | Pochipp | 35 | 27 | 102 | 20k+ | Non-prefixed global variable | ||
| #388 | Post Meta Data Manager | 35 | 30 | 112 | 1k+ | Non-prefixed global variable | ||
| #389 | Push7 | 35 | 45 | 17 | 700 | Short PHP open tag found | ||
| #390 | Quran multilanguage Text & Audio | 35 | 177 | 166 | 500 | Output is not escaped | ||
| #391 | Really Simple Google Tag Manager (GTM) | 35 | 115 | 15 | 4k+ | Text Domain Mismatch | ||
| #392 | Remove Admin Toolbar | 35 | 13 | 7 | 600 | Missing direct file access protection | ||
| #393 | Reseller Store | 35 | 56 | 34 | 1k+ | Output is not escaped | ||
| #394 | Search Attributes for WooCommerce | 35 | 26 | 3 | 600 | Text Domain Mismatch | ||
| #395 | SEO Slider | 35 | 242 | 17 | 1k+ | Text Domain Mismatch | ||
| #396 | Shop Page WP | 35 | 68 | 23 | 2k+ | Unsafe printing function | ||
| #397 | Simple CAPTCHA with Cloudflare Turnstile | 35 | 82 | 148 | 100k+ | Output is not escaped | ||
| #398 | Simple Header Footer HTML | 35 | 30 | 5 | 3k+ | Output is not escaped | ||
| #399 | Simple History – Track, Log, and Audit WordPress Changes | 35 | 32 | 122 | 300k+ | Non-prefixed global variable | ||
| #400 | Simple Image Sizes | 35 | 53 | 75 | 60k+ | Unsafe printing function |
