WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #751 | WP to LinkedIn Auto Publish | 28 | 734 | 250 | 900 | Unsafe printing function | ||
| #752 | Loginfy – Custom Login Page Customizer | 28 | 338 | 398 | 2k+ | Output is not escaped | ||
| #753 | Maven Algolia | 28 | 148 | 89 | 6k+ | Non Singular String Literal Domain | ||
| #754 | Media Hygiene: Remove or Delete Unused Images and More! | 28 | 654 | 309 | 5k+ | Non Singular String Literal Domain | ||
| #755 | My auctions allegro | 28 | 483 | 235 | 500 | Non Singular String Literal Domain | ||
| #756 | My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) | 28 | 164 | 441 | 100k+ | Non-prefixed global variable | ||
| #757 | Notification for Telegram | 28 | 189 | 93 | 4k+ | Output is not escaped | ||
| #758 | Opal Service | 28 | 339 | 329 | 900 | Non-prefixed global variable | ||
| #759 | Store Hours for WooCommerce | 28 | 525 | 60 | 2k+ | Output is not escaped | ||
| #760 | Order Tracking – WordPress Status Tracking Plugin | 28 | 619 | 773 | 3k+ | Unsafe printing function | ||
| #761 | افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری | 28 | 131 | 190 | 20k+ | Missing nonce verification | ||
| #762 | Pixelgrade Assistant | 28 | 1,348 | 160 | 2k+ | Text Domain Mismatch | ||
| #763 | Pixelonetry Companion | 28 | 427 | 147 | 600 | Text Domain Mismatch | ||
| #764 | Autopay | 28 | 769 | 334 | 3k+ | Text Domain Mismatch | ||
| #765 | Query Wrangler | 28 | 628 | 229 | 700 | Output is not escaped | ||
| #766 | ReDi Restaurant Reservation – Instant Restaurant Booking & Table Reservation System | 28 | 1,013 | 239 | 800 | Unsafe printing function | ||
| #767 | Brilliant Web-to-Lead for Salesforce | 28 | 247 | 244 | 2k+ | Text Domain Mismatch | ||
| #768 | Secure Downloads | 28 | 616 | 406 | 600 | Output is not escaped | ||
| #769 | Slider Pro | 28 | 583 | 527 | 4k+ | Unsafe printing function | ||
| #770 | Sparkle Demo Importer | 28 | 307 | 166 | 5k+ | Text Domain Mismatch | ||
| #771 | Terms descriptions | 28 | 222 | 423 | 1k+ | Non-prefixed function | ||
| #772 | Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor | 28 | 291 | 292 | 20k+ | Output is not escaped | ||
| #773 | Ultimate FAQ Accordion Plugin | 28 | 386 | 227 | 30k+ | Unsafe printing function | ||
| #774 | Jetpack VaultPress | 28 | 71 | 362 | 10k+ | Missing nonce verification | ||
| #775 | VG WORT METIS | 28 | 150 | 317 | 900 | Nonce verification recommended | ||
| #776 | WC Fields Factory | 28 | 194 | 369 | 7k+ | Nonce verification recommended | ||
| #777 | 10WebSocial | 28 | 584 | 185 | 10k+ | Unsafe printing function | ||
| #778 | Product Gallery Slider, Additional Variation Images for WooCommerce | 28 | 552 | 316 | 20k+ | Output is not escaped | ||
| #779 | Dynamic Product Gallery for WooCommerce | 28 | 414 | 301 | 1k+ | Output is not escaped | ||
| #780 | Email Inquiry & Cart Options for WooCommerce | 28 | 181 | 273 | 800 | Output is not escaped | ||
| #781 | Product Sort and Display for WooCommerce | 28 | 190 | 229 | 2k+ | Output is not escaped | ||
| #782 | WP Booking System – Booking Calendar | 28 | 502 | 549 | 20k+ | Output is not escaped | ||
| #783 | WP GoToWebinar | 28 | 207 | 207 | 700 | Non-prefixed function | ||
| #784 | WP Travel Gutenberg Blocks | 28 | 485 | 157 | 900 | Output is not escaped | ||
| #785 | WhyDonate – FREE Donate button – Crowdfunding – Fundraising | 28 | 216 | 328 | 800 | Non-prefixed global variable | ||
| #786 | WP YouTube Lyte | 28 | 204 | 178 | 20k+ | Non-prefixed global variable | ||
| #787 | WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce | 28 | 177 | 226 | 5k+ | Output is not escaped | ||
| #788 | WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) | 28 | 209 | 217 | 10k+ | Exception output is not escaped | ||
| #789 | WPS Bidouille | 28 | 472 | 215 | 10k+ | Output is not escaped | ||
| #790 | WP Synchro – The Ultimate WordPress Migration Tool | 28 | 243 | 244 | 2k+ | Missing Translators Comment | ||
| #791 | Accordion Slider | 29 | 391 | 447 | 2k+ | Unsafe printing function | ||
| #792 | Accordion Slider Gallery | 29 | 379 | 142 | 1k+ | Text Domain Mismatch | ||
| #793 | Adminimize | 29 | 296 | 691 | 200k+ | Non-prefixed global variable | ||
| #794 | AppPresser – Mobile App Framework | 29 | 262 | 214 | 1k+ | Text Domain Mismatch | ||
| #795 | aThemeArt Theme Helper | 29 | 206 | 151 | 2k+ | Non-prefixed global variable | ||
| #796 | Better Google Analytics | 29 | 376 | 869 | 2k+ | Non-prefixed global variable | ||
| #797 | Bitcoin Payments – Blockonomics | 29 | 208 | 227 | 2k+ | Output is not escaped | ||
| #798 | BNE Testimonials | 29 | 521 | 102 | 1k+ | Output is not escaped | ||
| #799 | Order Delivery Date Time & Pickup for WooCommerce | 29 | 667 | 244 | 500 | Output is not escaped | ||
| #800 | Branded Social Images – Open Graph Images with logo and extra text layer | 29 | 254 | 91 | 900 | Non Singular String Literal Domain |