WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #701 | picu – Online Photo Proofing Gallery | 27 | 613 | 325 | 2k+ | Output is not escaped | ||
| #702 | PowerPack Lite for Beaver Builder | 27 | 2,842 | 375 | 7k+ | Text Domain Mismatch | ||
| #703 | PublishPress Permissions: Control User Access for Posts, Pages, Categories, Tags | 27 | 424 | 323 | 10k+ | Missing Translators Comment | ||
| #704 | Rate My Post – Star Rating Plugin by FeedbackWP | 27 | 222 | 360 | 20k+ | Output is not escaped | ||
| #705 | Robokassa payment gateway for Woocommerce | 27 | 95 | 211 | 3k+ | Non-prefixed global variable | ||
| #706 | Shipit | 27 | 371 | 209 | 400 | Text Domain Mismatch | ||
| #707 | Side Cart Woocommerce | Woocommerce Cart | 27 | 490 | 439 | 80k+ | Output is not escaped | ||
| #708 | Simple Download Monitor | 27 | 218 | 273 | 20k+ | Output is not escaped | ||
| #709 | Simple Event Planner | 27 | 149 | 346 | 1k+ | Non-prefixed global variable | ||
| #710 | Social Web Suite – Social Media Auto Post, Social Media Auto Publish | 27 | 74 | 164 | 500 | Non-prefixed global variable | ||
| #711 | Speed Booster Pack ⚡ PageSpeed Optimization Suite | 27 | 108 | 187 | 9k+ | Missing Translators Comment | ||
| #712 | Stream Video Player | 27 | 220 | 135 | 600 | Output is not escaped | ||
| #713 | SV Tracking Manager | 27 | 968 | 129 | 1k+ | Output is not escaped | ||
| #714 | Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More | 27 | 165 | 430 | 100k+ | Non-prefixed global variable | ||
| #715 | Transbank Webpay | 27 | 198 | 211 | 10k+ | Non-prefixed global variable | ||
| #716 | Tutor LMS – Migration Tool | 27 | 139 | 341 | 1k+ | Direct Query | ||
| #717 | Ultimate Watermark – Image Watermark, Image Protection & Bulk Watermarking | 27 | 164 | 303 | 1k+ | Nonce verification recommended | ||
| #718 | Video Gallery for WooCommerce – Add Product Video & Featured Video | 27 | 116 | 476 | 3k+ | Non-prefixed global variable | ||
| #719 | VOD Infomaniak | 27 | 797 | 385 | 20k+ | Output is not escaped | ||
| #720 | Watu Quiz | 27 | 1,089 | 1,014 | 3k+ | Output is not escaped | ||
| #721 | Tabbed Category Product Listing for Woocommerce | 27 | 423 | 111 | 1k+ | Text Domain Mismatch | ||
| #722 | Mihdan: Ajax Edit Comments | 27 | 1,300 | 523 | 400 | Text Domain Mismatch | ||
| #723 | Content Pilot – Autoblogging & Affiliate Marketing Suite | 27 | 299 | 269 | 900 | Output is not escaped | ||
| #724 | WP-DBManager | 27 | 386 | 304 | 60k+ | Non-prefixed global variable | ||
| #725 | Email Marketing Plugin – WP Email Capture | 27 | 383 | 262 | 1k+ | Output is not escaped | ||
| #726 | WP Events Manager | 27 | 294 | 415 | 30k+ | Output is not escaped | ||
| #727 | WP Hide & Security Enhancer | 27 | 124 | 375 | 50k+ | Input is not sanitized | ||
| #728 | WP Job Manager | 27 | 93 | 582 | 80k+ | Non-prefixed hook name | ||
| #729 | WP Chat App | 27 | 120 | 274 | 100k+ | Alternative PHP tag found | ||
| #730 | WPBase Cache | 27 | 189 | 113 | 2k+ | Text Domain Mismatch | ||
| #731 | YARPP – Yet Another Related Posts Plugin | 27 | 191 | 331 | 100k+ | Non-prefixed global variable | ||
| #732 | Zibal Payment Gateway for Gravity Forms | 27 | 828 | 248 | 400 | Text Domain Mismatch | ||
| #733 | AJAX Login and Registration modal popup + inline form | 28 | 157 | 261 | 3k+ | Output is not escaped | ||
| #734 | Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 632 | 351 | 800 | Text Domain Mismatch | ||
| #735 | Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 649 | 357 | 9k+ | Text Domain Mismatch | ||
| #736 | WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | 28 | 659 | 359 | 400 | Text Domain Mismatch | ||
| #737 | Deposits & Partial Payments for WooCommerce – Bayna | 28 | 593 | 336 | 1k+ | Output is not escaped | ||
| #738 | Discount Rules and Dynamic Pricing for WooCommerce | 28 | 181 | 334 | 10k+ | Output is not escaped | ||
| #739 | easy.jobs – AI powered Job Listing, Job Board, Career Page, Recruitment & Hiring Solution | 28 | 405 | 924 | 4k+ | Missing nonce verification | ||
| #740 | Educare – Students & Result Management System | 28 | 1,114 | 1,043 | 800 | Missing nonce verification | ||
| #741 | Advanced Shipping Rates for WooCommerce: Flexible Table Rate Shipping Rules | 28 | 187 | 505 | 2k+ | Non-prefixed global variable | ||
| #742 | Friends | 28 | 164 | 679 | 1k+ | Non-prefixed global variable | ||
| #743 | Reviews and Rating – Google Reviews | 28 | 343 | 219 | 20k+ | Text Domain Mismatch | ||
| #744 | Geo Mashup | 28 | 775 | 232 | 1k+ | Text Domain Mismatch | ||
| #745 | GTmetrix for WordPress | 28 | 109 | 70 | 8k+ | Output is not escaped | ||
| #746 | HootKit | 28 | 429 | 1,295 | 8k+ | Non-prefixed global variable | ||
| #747 | IdeaPush | 28 | 283 | 298 | 700 | Output is not escaped | ||
| #748 | Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 641 | 348 | 1k+ | Text Domain Mismatch | ||
| #749 | WP to LinkedIn Auto Publish | 28 | 734 | 250 | 900 | Unsafe printing function | ||
| #750 | Loginfy – Custom Login Page Customizer | 28 | 338 | 398 | 2k+ | Output is not escaped |