WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #601 | WP Airbnb Review Slider | 25 | 325 | 646 | 1k+ | Non-prefixed global variable | ||
| #602 | Super Page Cache – Cloudflare Cache, Page Speed & Core Web Vitals | 25 | 137 | 353 | 60k+ | Input is not sanitized | ||
| #603 | Comments Extra Fields For Post,Pages and CPT | 25 | 577 | 418 | 500 | Text Domain Mismatch | ||
| #604 | WP Coupons and Deals – WordPress Coupon Plugin | 25 | 914 | 1,460 | 1k+ | Non-prefixed global variable | ||
| #605 | WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards | 25 | 1,431 | 1,270 | 10k+ | Output is not escaped | ||
| #606 | WP-DownloadManager | 25 | 607 | 508 | 3k+ | Unsafe printing function | ||
| #607 | WP Review Slider | 25 | 1,186 | 2,279 | 6k+ | Non-prefixed global variable | ||
| #608 | WP Go Maps – Google Map, OpenStreetMap, Leaflet Map | 25 | 4,996 | 1,008 | 300k+ | Unsafe printing function | ||
| #609 | WP Google Review Slider | 25 | 1,366 | 2,584 | 30k+ | Non-prefixed global variable | ||
| #610 | Nested Pages | 25 | 674 | 560 | 90k+ | Non-prefixed global variable | ||
| #611 | WP-Polls | 25 | 618 | 639 | 40k+ | Unsafe printing function | ||
| #612 | WP Popups – WordPress Popup builder | 25 | 440 | 342 | 30k+ | Output is not escaped | ||
| #613 | Perfect Images: Regenerate Thumbnails, Image Sizes, WebP & AVIF | 25 | 158 | 118 | 60k+ | Non-prefixed global variable | ||
| #614 | SlimStat Analytics | 25 | 1,177 | 870 | 70k+ | Exception output is not escaped | ||
| #615 | WP Super Cache | 25 | 800 | 989 | 1m+ | Output is not escaped | ||
| #616 | WP Time Slots Booking Form | 25 | 439 | 1,137 | 1k+ | Non-prefixed global variable | ||
| #617 | WP TripAdvisor Review Slider | 25 | 1,063 | 2,582 | 8k+ | Non-prefixed global variable | ||
| #618 | WP Yelp Review Slider | 25 | 600 | 1,086 | 1k+ | Non-prefixed global variable | ||
| #619 | WPCargo Track & Trace | 25 | 239 | 557 | 10k+ | Non-prefixed global variable | ||
| #620 | Video Gallery – YouTube Gallery, Playlist & Video Grid | 25 | 275 | 1,066 | 2k+ | Non-prefixed hook name | ||
| #621 | AfterShip Tracking – All-In-One WooCommerce Order Tracking (Free plan available) | 26 | 286 | 291 | 7k+ | Text Domain Mismatch | ||
| #622 | AI Content Writing Assistant | 26 | 1,069 | 516 | 700 | Text Domain Mismatch | ||
| #623 | Attesa Extra | 26 | 316 | 151 | 1k+ | Output is not escaped | ||
| #624 | A WP Life Companion | 26 | 1,703 | 458 | 6k+ | Text Domain Mismatch | ||
| #625 | Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar | 26 | 526 | 263 | 5k+ | Output is not escaped | ||
| #626 | Conditional Logic for Woo Product Add-ons | 26 | 575 | 1,352 | 500 | Non-prefixed global variable | ||
| #627 | Database for Contact Form 7, WPforms, Elementor forms | 26 | 317 | 489 | 60k+ | Non-prefixed global variable | ||
| #628 | WP Frontend Admin – Display WP Admin Pages in the Frontend | 26 | 347 | 337 | 400 | Non Singular String Literal Domain | ||
| #629 | Ditty – Responsive News Tickers, Sliders, and Lists | 26 | 561 | 484 | 30k+ | Output is not escaped | ||
| #630 | Accept Donations with PayPal & Stripe | 26 | 916 | 572 | 10k+ | Unsafe printing function | ||
| #631 | Easy Post Views Count | 26 | 534 | 1,180 | 2k+ | Non-prefixed global variable | ||
| #632 | Event Monster – Event Manager, Ticket Booking & Registration | 26 | 781 | 781 | 600 | Non-prefixed global variable | ||
| #633 | RSS Redirect & Feedburner Alternative | 26 | 277 | 272 | 1k+ | Output is not escaped | ||
| #634 | FG Drupal to WordPress | 26 | 275 | 100 | 700 | Unsafe printing function | ||
| #635 | FG PrestaShop to WooCommerce | 26 | 254 | 94 | 900 | Unsafe printing function | ||
| #636 | FlagShip WooCommerce Shipping | 26 | 495 | 188 | 400 | Non Singular String Literal Domain | ||
| #637 | FV Antispam | 26 | 332 | 239 | 900 | Output is not escaped | ||
| #638 | Translate WordPress – Google Language Translator | 26 | 200 | 317 | 100k+ | Non-prefixed global variable | ||
| #639 | Hide Admin Bar Based on User Roles | 26 | 549 | 1,345 | 20k+ | Non-prefixed global variable | ||
| #640 | Ibtana – WordPress Website Builder | 26 | 173 | 409 | 10k+ | Non-prefixed global variable | ||
| #641 | Icegram Collect – Easy Form, Lead Collection and Subscription plugin | 26 | 423 | 292 | 2k+ | Output is not escaped | ||
| #642 | Integrate Razorpay for Contact Form 7 | 26 | 152 | 97 | 500 | curl curl setopt | ||
| #643 | Kadence Central – Site Management, Backups, Security, and Reporting | 26 | 462 | 213 | 30k+ | Text Domain Mismatch | ||
| #644 | Login Widget With Shortcode | 26 | 335 | 198 | 6k+ | wp function not compatible with requires wp | ||
| #645 | MaxGalleria | 26 | 278 | 560 | 2k+ | Non-prefixed global variable | ||
| #646 | Hotel Booking | 26 | 690 | 940 | 4k+ | Unsafe printing function | ||
| #647 | Omise Payments | 26 | 358 | 256 | 2k+ | Output is not escaped | ||
| #648 | Online Contact Widget-多合一在线客服插件 | 26 | 708 | 80 | 800 | Non Singular String Literal Domain | ||
| #649 | Organic Builder Widgets – Simple WordPress Page Builder | 26 | 1,034 | 125 | 3k+ | Output is not escaped | ||
| #650 | Paytium: Mollie payment forms & donations | 26 | 506 | 551 | 3k+ | Unsafe printing function |