WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#851DethemeKit for Elementor3033522830k+Output is not escaped
#852Easy Affiliate Links301861987k+Missing direct file access protection
#853Easy Custom Auto Excerpt30841666k+Non-prefixed global variable
#854Element Invader – Template Kits for Elementor302741303k+Output is not escaped
#855Email Templates Customizer and Designer for WordPress and WooCommerce3025034920k+Non-prefixed global variable
#856Epeken All Kurir for Woocommerce305901,246400Missing nonce verification
#857Exclusive Addons for Elementor303,63026350k+Text Domain Mismatch
#858Export Plugins and Templates30143331k+file system operations fread
#859PiWeb Export Customers Users & Guest customer to CSV for WooCommerce30173751k+Text Domain Mismatch
#860FormLift for Keap (Legacy) Web Forms30162315400Request data is not unslashed
#861Formzu WP301671633k+Text Domain Mismatch
#862Midtrans-WooCommerce301121325k+Non-prefixed global variable
#863Novelist304751581k+Output is not escaped
#864Operation Demo Importer – Demo Importer For WPoperation Themes302451041k+Text Domain Mismatch
#865Popularis Extra302371417k+Output is not escaped
#866Pre-Orders for WooCommerce305682617k+Output is not escaped
#867Rublon Multi-Factor Authentication (MFA)30216160400Output is not escaped
#868StoreBuild – Online Store Builder for WooCommerce30120211600Non-prefixed global variable
#869Stackable – Page Builder Gutenberg Blocks3048287100k+Non Singular String Literal Domain
#870Star Addons for Elementor302362551k+Non-prefixed global variable
#871Taboola30891471k+Output is not escaped
#872Tabs Responsive – With WooCommerce Product Tabs Extension3057525520k+Non Singular String Literal Domain
#873Themify Portfolio Post3021410230k+Text Domain Mismatch
#874Travel Booking Toolkit302453243k+Non-prefixed global variable
#875Travelers' Map303111551k+Output is not escaped
#876Tutor LMS Divi Modules304207221k+Non-prefixed global variable
#877Urvanov Syntax Highlighter30221873k+Output is not escaped
#878User Avatar – Reloaded30352171900Text Domain Mismatch
#879UX Flat305392031k+Missing Arg Domain
#880Waitlist Woocommerce ( Back in stock notifier )302723114k+Output is not escaped
#881Dropify301322542k+Nonce verification recommended
#882Webling30147313500Input is not validated
#883Widget Manager Light3023383600Text Domain Mismatch
#884Widgetize Pages Light301451043k+Output is not escaped
#885Delivery & Pickup Date Time for WooCommerce304394355k+Non-prefixed global variable
#886WP Admin UI Customize3062939030k+Non-prefixed global variable
#887WP Docs302682711k+Output is not escaped
#888WP Inventory Manager308562331k+Output is not escaped
#889WP Restaurant Price List3029595500Text Domain Mismatch
#890WPS Cleaner3043049120k+Output is not escaped
#891Yaad Sarig Payment Gateway For WC301582712k+Nonce verification recommended
#892zahls.ch Credit Cards, PostFinance and TWINT for WooCommerce301212653k+Non-prefixed global variable
#893Advanced Category Excluder31349160600Output is not escaped
#894All-in-one contact buttons – WPSHARE247311081134k+Non-prefixed global variable
#895Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter315719650k+Nonce verification recommended
#896Apaczka.pl WooCommerce31992761k+Non-prefixed global variable
#897cformsII317775363k+Unsafe printing function
#898Newsletter Sign-Up for CleverReach31174722k+Output is not escaped
#899Colorbox Panels & Info Box313921821k+Non Singular String Literal Domain
#900Cookie Dough Compliance and Consent for GDPR31539452500Non Singular String Literal Domain