WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #651 | LoginWP (Formerly Peter's Login Redirect) | 26 | 401 | 278 | 90k+ | Output is not escaped | ||
| #652 | Crowdsignal Dashboard – Polls, Surveys & more | 26 | 481 | 491 | 200k+ | Unsafe printing function | ||
| #653 | Portfolio by BestWebSoft – Work and Projects Presentation Plugin for WordPress | 26 | 525 | 240 | 600 | Text Domain Mismatch | ||
| #654 | Post List Designer – Category Post, Recent Post, Post List | 26 | 542 | 1,320 | 1k+ | Non-prefixed global variable | ||
| #655 | Premmerce User Roles | 26 | 597 | 1,357 | 600 | Non-prefixed global variable | ||
| #656 | RestaurantPress | 26 | 265 | 518 | 600 | Output is not escaped | ||
| #657 | Role Based Pricing for Woo by Meow Crew | 26 | 548 | 1,354 | 2k+ | Non-prefixed global variable | ||
| #658 | SEO Booster | 26 | 403 | 1,331 | 1k+ | Non-prefixed global variable | ||
| #659 | SP Move Login | 26 | 881 | 215 | 6k+ | Text Domain Mismatch | ||
| #660 | Sliced Invoices – WordPress Invoice Plugin | 26 | 684 | 455 | 5k+ | Output is not escaped | ||
| #661 | Video Gallery – Vimeo and YouTube Gallery | 26 | 561 | 794 | 6k+ | Non-prefixed global variable | ||
| #662 | SV Proven Expert | 26 | 747 | 380 | 900 | Output is not escaped | ||
| #663 | Tag Groups is the Advanced Way to Display Your Taxonomy Terms | 26 | 351 | 232 | 3k+ | Unsafe printing function | ||
| #664 | Theater for WordPress | 26 | 348 | 344 | 600 | Output is not escaped | ||
| #665 | Ultimate Reviews | 26 | 515 | 345 | 500 | Output is not escaped | ||
| #666 | URL Image Importer – Import External Images to the Media Library from URL, CSV & XML | 26 | 143 | 239 | 700 | Missing nonce verification | ||
| #667 | User Avatar | 26 | 104 | 173 | 4k+ | Non-prefixed constant | ||
| #668 | VikWidgetsLoader – Collection of Widgets | 26 | 1,182 | 538 | 1k+ | Output is not escaped | ||
| #669 | Virtue/Ascend/Pinnacle Toolkit | 26 | 605 | 300 | 30k+ | Output is not escaped | ||
| #670 | Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails | 26 | 51 | 325 | 300k+ | Direct Query | ||
| #671 | Set Price Note (Units, Offers, Editions) for WooCommerce | 26 | 596 | 1,307 | 800 | Non-prefixed global variable | ||
| #672 | XL NMI Gateway for WooCommerce | 26 | 695 | 436 | 1k+ | Text Domain Mismatch | ||
| #673 | WP Flashy Marketing Automation | 26 | 432 | 186 | 2k+ | Text Domain Mismatch | ||
| #674 | WPCOM Member | 26 | 432 | 638 | 1k+ | Non Singular String Literal Domain | ||
| #675 | WPFrank Companion | 26 | 2,356 | 865 | 1k+ | Text Domain Mismatch | ||
| #676 | Accordions – Responsive Accordion & FAQ Plugin for WordPress | 27 | 554 | 158 | 1k+ | Text Domain Mismatch | ||
| #677 | Arconix FAQ | 27 | 552 | 201 | 6k+ | Text Domain Mismatch | ||
| #678 | BackUpWordPress | 27 | 245 | 271 | 90k+ | Non-prefixed global variable | ||
| #679 | Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms | 27 | 720 | 367 | 5k+ | Text Domain Mismatch | ||
| #680 | WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin | 27 | 692 | 381 | 3k+ | Text Domain Mismatch | ||
| #681 | Comment Link Remove and Other Comment Tools | 27 | 691 | 132 | 7k+ | Text Domain Mismatch | ||
| #682 | Duplicate Post | 27 | 447 | 274 | 300k+ | Unsafe printing function | ||
| #683 | Cyrlitera – Transliteration of Links and File Names | 27 | 453 | 204 | 40k+ | Output is not escaped | ||
| #684 | Gallery – Photo Albums Plugin | 27 | 647 | 252 | 2k+ | Output is not escaped | ||
| #685 | CM Tooltip Glossary | 27 | 611 | 188 | 7k+ | Output is not escaped | ||
| #686 | Events Calendar for GeoDirectory | 27 | 1,262 | 462 | 2k+ | Text Domain Mismatch | ||
| #687 | FG Joomla to WordPress | 27 | 278 | 101 | 7k+ | Unsafe printing function | ||
| #688 | Foxtool All-in-One: Contact chat button, Custom login, Media optimize images | 27 | 1,629 | 360 | 7k+ | Unsafe printing function | ||
| #689 | Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin | 27 | 212 | 497 | 2k+ | Non-prefixed global variable | ||
| #690 | StylePress for Elementor | 27 | 767 | 283 | 600 | Text Domain Mismatch | ||
| #691 | Gravity Forms + Stripe | 27 | 368 | 210 | 600 | Output is not escaped | ||
| #692 | GSpeech TTS – WordPress Text To Speech Plugin | 27 | 842 | 333 | 3k+ | Output is not escaped | ||
| #693 | Hester Core | 27 | 253 | 103 | 10k+ | Output is not escaped | ||
| #694 | HM Multiple Roles | 27 | 537 | 1,287 | 1k+ | Non-prefixed global variable | ||
| #695 | ImageRecycle pdf & image compression | 27 | 329 | 204 | 1k+ | Text Domain Mismatch | ||
| #696 | Liza Widget For Spotify and Elementor | 27 | 609 | 1,287 | 1k+ | Non-prefixed global variable | ||
| #697 | MakeCommerce for WooCommerce | 27 | 826 | 452 | 3k+ | Text Domain Mismatch | ||
| #698 | Memberful – Membership Plugin | 27 | 351 | 336 | 1k+ | Text Domain Mismatch | ||
| #699 | MLSImport – Download and synchronize real estate data from various MLS (Multiple Listing Services) | 27 | 154 | 551 | 5k+ | Non-prefixed global variable | ||
| #700 | Nextend Social Login and Register | 27 | 1,668 | 243 | 200k+ | Output is not escaped |