WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#751WP to LinkedIn Auto Publish28734250900Unsafe printing function
#752Loginfy – Custom Login Page Customizer283383982k+Output is not escaped
#753Maven Algolia28148896k+Non Singular String Literal Domain
#754Media Hygiene: Remove or Delete Unused Images and More!286543095k+Non Singular String Literal Domain
#755My auctions allegro28483235500Non Singular String Literal Domain
#756My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu)28164441100k+Non-prefixed global variable
#757Notification for Telegram28189934k+Output is not escaped
#758Opal Service28339329900Non-prefixed global variable
#759Store Hours for WooCommerce28525602k+Output is not escaped
#760Order Tracking – WordPress Status Tracking Plugin286197733k+Unsafe printing function
#761افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری2813119020k+Missing nonce verification
#762Pixelgrade Assistant281,3481602k+Text Domain Mismatch
#763Pixelonetry Companion28427147600Text Domain Mismatch
#764Autopay287693343k+Text Domain Mismatch
#765Query Wrangler28628229700Output is not escaped
#766ReDi Restaurant Reservation – Instant Restaurant Booking & Table Reservation System281,013239800Unsafe printing function
#767Brilliant Web-to-Lead for Salesforce282472442k+Text Domain Mismatch
#768Secure Downloads28616406600Output is not escaped
#769Slider Pro285835274k+Unsafe printing function
#770Sparkle Demo Importer283071665k+Text Domain Mismatch
#771Terms descriptions282224231k+Non-prefixed function
#772Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor2829129220k+Output is not escaped
#773Ultimate FAQ Accordion Plugin2838622730k+Unsafe printing function
#774Jetpack VaultPress287136210k+Missing nonce verification
#775VG WORT METIS28150317900Nonce verification recommended
#776WC Fields Factory281943697k+Nonce verification recommended
#77710WebSocial2858418510k+Unsafe printing function
#778Product Gallery Slider, Additional Variation Images for WooCommerce2855231620k+Output is not escaped
#779Dynamic Product Gallery for WooCommerce284143011k+Output is not escaped
#780Email Inquiry & Cart Options for WooCommerce28181273800Output is not escaped
#781Product Sort and Display for WooCommerce281902292k+Output is not escaped
#782WP Booking System – Booking Calendar2850254920k+Output is not escaped
#783WP GoToWebinar28207207700Non-prefixed function
#784WP Travel Gutenberg Blocks28485157900Output is not escaped
#785WhyDonate – FREE Donate button – Crowdfunding – Fundraising28216328800Non-prefixed global variable
#786WP YouTube Lyte2820417820k+Non-prefixed global variable
#787WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce281772265k+Output is not escaped
#788WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN)2820921710k+Exception output is not escaped
#789WPS Bidouille2847221510k+Output is not escaped
#790WP Synchro – The Ultimate WordPress Migration Tool282432442k+Missing Translators Comment
#791Accordion Slider293914472k+Unsafe printing function
#792Accordion Slider Gallery293791421k+Text Domain Mismatch
#793Adminimize29296691200k+Non-prefixed global variable
#794AppPresser – Mobile App Framework292622141k+Text Domain Mismatch
#795aThemeArt Theme Helper292061512k+Non-prefixed global variable
#796Better Google Analytics293768692k+Non-prefixed global variable
#797Bitcoin Payments – Blockonomics292082272k+Output is not escaped
#798BNE Testimonials295211021k+Output is not escaped
#799Order Delivery Date Time & Pickup for WooCommerce29667244500Output is not escaped
#800Branded Social Images – Open Graph Images with logo and extra text layer2925491900Non Singular String Literal Domain