WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#601WP Airbnb Review Slider253256461k+Non-prefixed global variable
#602Super Page Cache – Cloudflare Cache, Page Speed & Core Web Vitals2513735360k+Input is not sanitized
#603Comments Extra Fields For Post,Pages and CPT25577418500Text Domain Mismatch
#604WP Coupons and Deals – WordPress Coupon Plugin259141,4601k+Non-prefixed global variable
#605WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards251,4311,27010k+Output is not escaped
#606WP-DownloadManager256075083k+Unsafe printing function
#607WP Review Slider251,1862,2796k+Non-prefixed global variable
#608WP Go Maps – Google Map, OpenStreetMap, Leaflet Map254,9961,008300k+Unsafe printing function
#609WP Google Review Slider251,3662,58430k+Non-prefixed global variable
#610Nested Pages2567456090k+Non-prefixed global variable
#611WP-Polls2561863940k+Unsafe printing function
#612WP Popups – WordPress Popup builder2544034230k+Output is not escaped
#613Perfect Images: Regenerate Thumbnails, Image Sizes, WebP & AVIF2515811860k+Non-prefixed global variable
#614SlimStat Analytics251,17787070k+Exception output is not escaped
#615WP Super Cache258009891m+Output is not escaped
#616WP Time Slots Booking Form254391,1371k+Non-prefixed global variable
#617WP TripAdvisor Review Slider251,0632,5828k+Non-prefixed global variable
#618WP Yelp Review Slider256001,0861k+Non-prefixed global variable
#619WPCargo Track & Trace2523955710k+Non-prefixed global variable
#620Video Gallery – YouTube Gallery, Playlist & Video Grid252751,0662k+Non-prefixed hook name
#621AfterShip Tracking – All-In-One WooCommerce Order Tracking (Free plan available)262862917k+Text Domain Mismatch
#622AI Content Writing Assistant261,069516700Text Domain Mismatch
#623Attesa Extra263161511k+Output is not escaped
#624A WP Life Companion261,7034586k+Text Domain Mismatch
#625Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar265262635k+Output is not escaped
#626Conditional Logic for Woo Product Add-ons265751,352500Non-prefixed global variable
#627Database for Contact Form 7, WPforms, Elementor forms2631748960k+Non-prefixed global variable
#628WP Frontend Admin – Display WP Admin Pages in the Frontend26347337400Non Singular String Literal Domain
#629Ditty – Responsive News Tickers, Sliders, and Lists2656148430k+Output is not escaped
#630Accept Donations with PayPal & Stripe2691657210k+Unsafe printing function
#631Easy Post Views Count265341,1802k+Non-prefixed global variable
#632Event Monster – Event Manager, Ticket Booking & Registration26781781600Non-prefixed global variable
#633RSS Redirect & Feedburner Alternative262772721k+Output is not escaped
#634FG Drupal to WordPress26275100700Unsafe printing function
#635FG PrestaShop to WooCommerce2625494900Unsafe printing function
#636FlagShip WooCommerce Shipping26495188400Non Singular String Literal Domain
#637FV Antispam26332239900Output is not escaped
#638Translate WordPress – Google Language Translator26200317100k+Non-prefixed global variable
#639Hide Admin Bar Based on User Roles265491,34520k+Non-prefixed global variable
#640Ibtana – WordPress Website Builder2617340910k+Non-prefixed global variable
#641Icegram Collect – Easy Form, Lead Collection and Subscription plugin264232922k+Output is not escaped
#642Integrate Razorpay for Contact Form 72615297500curl curl setopt
#643Kadence Central – Site Management, Backups, Security, and Reporting2646221330k+Text Domain Mismatch
#644Login Widget With Shortcode263351986k+wp function not compatible with requires wp
#645MaxGalleria262785602k+Non-prefixed global variable
#646Hotel Booking266909404k+Unsafe printing function
#647Omise Payments263582562k+Output is not escaped
#648Online Contact Widget-多合一在线客服插件2670880800Non Singular String Literal Domain
#649Organic Builder Widgets – Simple WordPress Page Builder261,0341253k+Output is not escaped
#650Paytium: Mollie payment forms & donations265065513k+Unsafe printing function