WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #801 | Businessx Extensions | 29 | 337 | 529 | 1k+ | Non-prefixed function | ||
| #802 | Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | 29 | 236 | 369 | 2k+ | Non-prefixed global variable | ||
| #803 | Chained Quiz | 29 | 1,132 | 721 | 1k+ | Text Domain Mismatch | ||
| #804 | Countdown, Coming Soon, Maintenance – Countdown & Clock | 29 | 1,735 | 143 | 10k+ | Non Singular String Literal Domain | ||
| #805 | Custom Field Template | 29 | 568 | 530 | 30k+ | wp function not compatible with requires wp | ||
| #806 | DB Cache Reloaded Fix | 29 | 133 | 42 | 2k+ | Output is not escaped | ||
| #807 | Di Themes Demo Site Importer | 29 | 343 | 183 | 1k+ | Text Domain Mismatch | ||
| #808 | Display Tweets | 29 | 135 | 135 | 900 | Non-prefixed global variable | ||
| #809 | Document Gallery | 29 | 183 | 98 | 8k+ | Output is not escaped | ||
| #810 | Interactive Image Map Plugin – Draw Attention | 29 | 620 | 227 | 20k+ | Output is not escaped | ||
| #811 | Gianism | 29 | 391 | 154 | 700 | Text Domain Mismatch | ||
| #812 | reCaptcha by BestWebSoft | 29 | 474 | 272 | 100k+ | Text Domain Mismatch | ||
| #813 | Easy HTTPS Redirection (SSL) | 29 | 266 | 152 | 100k+ | Unsafe printing function | ||
| #814 | Icyclub | 29 | 557 | 139 | 10k+ | Output is not escaped | ||
| #815 | Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms | 29 | 625 | 351 | 1k+ | Text Domain Mismatch | ||
| #816 | Interactive World Map | 29 | 684 | 341 | 1k+ | Text Domain Mismatch | ||
| #817 | Wishlist for WooCommerce | 29 | 610 | 296 | 600 | Output is not escaped | ||
| #818 | Kits, Templates and Patterns | 29 | 380 | 91 | 5k+ | Text Domain Mismatch | ||
| #819 | Liteweight Podcast – Host and Embed Podcast Episodes | 29 | 536 | 239 | 500 | Output is not escaped | ||
| #820 | Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress | 29 | 86 | 233 | 500 | Nonce verification recommended | ||
| #821 | Offload Media – Cloud Storage | 29 | 126 | 80 | 1k+ | unlink unlink | ||
| #822 | Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization | 29 | 80 | 163 | 200k+ | Nonce verification recommended | ||
| #823 | Page View Count | 29 | 106 | 246 | 10k+ | Dynamic hook name | ||
| #824 | Post Views Counter | 29 | 179 | 398 | 200k+ | Non-prefixed hook name | ||
| #825 | Pósturinn\'s Shipping with WooCommerce | 29 | 713 | 551 | 500 | Text Domain Mismatch | ||
| #826 | Recipe Card Blocks Lite | 29 | 151 | 408 | 10k+ | Non-prefixed global variable | ||
| #827 | SamedayCourier Shipping | 29 | 336 | 269 | 4k+ | Non Singular String Literal Domain | ||
| #828 | Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce | 29 | 148 | 246 | 5k+ | Unsafe printing function | ||
| #829 | Page Builder by SiteOrigin | 29 | 266 | 215 | 400k+ | Output is not escaped | ||
| #830 | BuddyPress Builder for Elementor – BuddyBuilder | 29 | 348 | 329 | 1k+ | Text Domain Mismatch | ||
| #831 | Themify Popup | 29 | 232 | 108 | 8k+ | Text Domain Mismatch | ||
| #832 | Themify – WooCommerce Product Filter | 29 | 643 | 145 | 20k+ | Output is not escaped | ||
| #833 | Ultimate Auction for WooCommerce – Excellent WP Auction Plugin | 29 | 52 | 523 | 2k+ | Non-prefixed global variable | ||
| #834 | Under Construction, Coming Soon & Maintenance Mode | 29 | 277 | 292 | 10k+ | Text Domain Mismatch | ||
| #835 | Visualizer – Tables & Charts Manager with Built-in AI Generator | 29 | 348 | 331 | 20k+ | Output is not escaped | ||
| #836 | Product Carousel Slider & Grid Ultimate for WooCommerce | 29 | 719 | 122 | 6k+ | Text Domain Mismatch | ||
| #837 | Global Payments SecureSubmit Gateway | 29 | 199 | 443 | 500 | Non-prefixed class | ||
| #838 | WP-PostRatings | 29 | 425 | 384 | 30k+ | Output is not escaped | ||
| #839 | WPComplete | 29 | 383 | 333 | 1k+ | Output is not escaped | ||
| #840 | PublishPress Blocks – Block Controls, Block Visibility, Block Permissions | 30 | 239 | 417 | 20k+ | Non-prefixed global variable | ||
| #841 | Aitasi Coming Soon | 30 | 516 | 186 | 1k+ | Output is not escaped | ||
| #842 | Analytics Insights – Google Analytics Dashboard for WordPress | 30 | 241 | 170 | 10k+ | Unsafe printing function | ||
| #843 | ApplyOnline – Application Form Builder and Manager | 30 | 345 | 244 | 2k+ | Output is not escaped | ||
| #844 | Contact Form 7 Connector | 30 | 324 | 196 | 5k+ | Text Domain Mismatch | ||
| #845 | Arile Extra | 30 | 537 | 570 | 10k+ | Non-prefixed global variable | ||
| #846 | Private groups | 30 | 583 | 316 | 1k+ | Unsafe printing function | ||
| #847 | BrightEdge Autopilot | 30 | 108 | 31 | 600 | curl curl setopt | ||
| #848 | Sliding Cart for WooCommerce by FunnelKit – Skip Cart & Reach WooCommerce Checkout Faster | 30 | 306 | 434 | 30k+ | Non-prefixed global variable | ||
| #849 | Colete-Online | 30 | 776 | 346 | 600 | Text Domain Mismatch | ||
| #850 | ContentBot AI Writer (AI Content) | 30 | 317 | 69 | 500 | rand rand |