PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing
Setting is missing a sanitization callback
A registered setting does not define a sanitization callback.
Why It Shows Up
Plugin Check found `register_setting()` without a `sanitize_callback` or equivalent validation strategy.
Why It Matters
Settings can be saved by administrators and then displayed or used later. Without sanitization, invalid or unsafe values can persist.
How to Fix
- Pass a `sanitize_callback` in the `register_setting()` arguments.
- Use built-in sanitizers for simple values and custom callbacks for structured settings.
- Validate allowed values and return a safe default when input is invalid.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #401 | Simple Post Type Permalinks | 35 | 16 | 1 | 9k+ | date date | ||
| #402 | Simple YouTube Responsive | 35 | 75 | 8 | 3k+ | wp function not compatible with requires wp | ||
| #403 | SimpleTOC – Table of Contents Block | 35 | 10 | 0 | 10k+ | Setting is missing a sanitization callback | ||
| #404 | Spreadshop Plugin | 35 | 145 | 44 | 4k+ | wp function not compatible with requires wp | ||
| #405 | Super Cool Ad Inserter Plugin | 35 | 22 | 5 | 600 | Text Domain Mismatch | ||
| #406 | TailPress – Tailwind for WordPress | 35 | 23 | 22 | 500 | Output is not escaped | ||
| #407 | Themify Shortcodes | 35 | 36 | 16 | 7k+ | Output is not escaped | ||
| #408 | Tockify Events Calendar | 35 | 35 | 12 | 2k+ | Output is not escaped | ||
| #409 | Transcoder | 35 | 42 | 111 | 500 | Non-prefixed function | ||
| #410 | Two Factor Authentication | 35 | 108 | 139 | 20k+ | Output is not escaped | ||
| #411 | Conditional Payments and Shipping for WooCommerce | 35 | 338 | 27 | 1k+ | Text Domain Mismatch | ||
| #412 | Require Login for WooCommerce | 35 | 10 | 6 | 2k+ | wp function not compatible with requires wp | ||
| #413 | WP Cassify | 35 | 106 | 143 | 800 | Missing nonce verification | ||
| #414 | WP Compiler | 35 | 33 | 20 | 1k+ | Output is not escaped | ||
| #415 | WP Content Copy Protection | 35 | 76 | 11 | 10k+ | Text Domain Mismatch | ||
| #416 | Auto Publish for Google My Business | 35 | 216 | 192 | 10k+ | Input is not validated | ||
| #417 | WP GPX Maps | 35 | 27 | 100 | 4k+ | Non-prefixed global variable | ||
| #418 | WP-KaTeX | 35 | 14 | 8 | 800 | Missing direct file access protection | ||
| #419 | WP Login and Logout Redirect | 35 | 16 | 6 | 6k+ | Text Domain Mismatch | ||
| #420 | WP-Persian | 35 | 144 | 37 | 7k+ | Unsafe printing function | ||
| #421 | WP Site Verification tool | 35 | 34 | 37 | 1k+ | Non-prefixed global variable | ||
| #422 | WP To Top | 35 | 30 | 29 | 1k+ | Non-prefixed global variable | ||
| #423 | wpLingua – Automatic translation – Translate and make website multilingual | 35 | 79 | 167 | 2k+ | Nonce verification recommended | ||
| #424 | WPPerformanceTester | 35 | 94 | 44 | 1k+ | Output is not escaped | ||
| #425 | Writesonic | 35 | 14 | 16 | 1k+ | Non-prefixed global variable | ||
| #426 | Awesome GDPR Compliant Cookie Consent and Notice | 36 | 653 | 201 | 500 | Text Domain Mismatch | ||
| #427 | BP Disable Activation Reloaded | 36 | 147 | 28 | 800 | Output is not escaped | ||
| #428 | BuddyMeet | 36 | 114 | 32 | 700 | Unsafe printing function | ||
| #429 | Simple SEO | 36 | 164 | 113 | 10k+ | Non Singular String Literal Domain | ||
| #430 | CMB2 | 36 | 148 | 19 | 300k+ | Output is not escaped | ||
| #431 | ColorMeShop WordPress Plugin | 36 | 392 | 37 | 600 | Exception output is not escaped | ||
| #432 | Constant Contact Forms | 36 | 39 | 89 | 20k+ | Missing nonce verification | ||
| #433 | CSH Login | 36 | 126 | 41 | 500 | Output is not escaped | ||
| #434 | DeveloPress Sticky Footer Bar | 36 | 165 | 49 | 400 | Output is not escaped | ||
| #435 | Different Menu in Different Pages – Conditional Menu | 36 | 167 | 113 | 4k+ | Text Domain Mismatch | ||
| #436 | Doneren met Mollie | 36 | 420 | 351 | 4k+ | SQL query is not prepared | ||
| #437 | Easy Support Videos – Embed videos in the admin | 36 | 160 | 95 | 500 | Output is not escaped | ||
| #438 | Enhanced Media Library | 36 | 361 | 117 | 60k+ | Unsafe printing function | ||
| #439 | Happy WooCommerce FAQs – Ultimate Product FAQ Plugin | 36 | 65 | 119 | 1k+ | Nonce verification recommended | ||
| #440 | Header Footer Script Adder – Insert Code in Header, Body & Footer | 36 | 203 | 78 | 1k+ | Text Domain Mismatch | ||
| #441 | Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS | 36 | 68 | 33 | 6k+ | Output is not escaped | ||
| #442 | Insert Headers and Footers Code – HT Script | 36 | 391 | 34 | 7k+ | Text Domain Mismatch | ||
| #443 | List category posts | 36 | 162 | 17 | 80k+ | Output is not escaped | ||
| #444 | Media Deduper | 36 | 60 | 99 | 9k+ | Missing Arg Domain | ||
| #445 | Microsoft Clarity | 36 | 48 | 163 | 200k+ | Nonce verification recommended | ||
| #446 | Motors VIN Decoder | 36 | 87 | 88 | 500 | Output is not escaped | ||
| #447 | Plugins Garbage Collector (Database Cleanup) | 36 | 32 | 51 | 10k+ | Missing nonce verification | ||
| #448 | افزونه رسمی ترب | 36 | 42 | 86 | 20k+ | Exception output is not escaped | ||
| #449 | Responsive Testimonials | 36 | 252 | 32 | 400 | Text Domain Mismatch | ||
| #450 | Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website | 36 | 216 | 50 | 50k+ | Output is not escaped |
