via pluginvulnerabilities.com => original post link
One of the many issues we now check for when doing security reviews of WordPress plugins is proper usage of the sanitize_callback when using register_setting() to register settings. That helps to make sure that settings of the plugin don’t contain input that they shouldn’t. After finding that a plugin we were doing a review of lacked of usage of that, we couldn’t find good documentation written specifically on implementing that to send them a link to. Their attempt to implement it went wrong, suggesting even more need for having better documentation on that. We have provided the basics on that below, but if there is more that needs to be added, please let us know in the comments.
Registering the sanitize_callback
The format of the register_settings() function is this: [Read more]