WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #851 | DethemeKit for Elementor | 30 | 335 | 228 | 30k+ | Output is not escaped | ||
| #852 | Easy Affiliate Links | 30 | 186 | 198 | 7k+ | Missing direct file access protection | ||
| #853 | Easy Custom Auto Excerpt | 30 | 84 | 166 | 6k+ | Non-prefixed global variable | ||
| #854 | Element Invader – Template Kits for Elementor | 30 | 274 | 130 | 3k+ | Output is not escaped | ||
| #855 | Email Templates Customizer and Designer for WordPress and WooCommerce | 30 | 250 | 349 | 20k+ | Non-prefixed global variable | ||
| #856 | Epeken All Kurir for Woocommerce | 30 | 590 | 1,246 | 400 | Missing nonce verification | ||
| #857 | Exclusive Addons for Elementor | 30 | 3,630 | 263 | 50k+ | Text Domain Mismatch | ||
| #858 | Export Plugins and Templates | 30 | 143 | 33 | 1k+ | file system operations fread | ||
| #859 | PiWeb Export Customers Users & Guest customer to CSV for WooCommerce | 30 | 173 | 75 | 1k+ | Text Domain Mismatch | ||
| #860 | FormLift for Keap (Legacy) Web Forms | 30 | 162 | 315 | 400 | Request data is not unslashed | ||
| #861 | Formzu WP | 30 | 167 | 163 | 3k+ | Text Domain Mismatch | ||
| #862 | Midtrans-WooCommerce | 30 | 112 | 132 | 5k+ | Non-prefixed global variable | ||
| #863 | Novelist | 30 | 475 | 158 | 1k+ | Output is not escaped | ||
| #864 | Operation Demo Importer – Demo Importer For WPoperation Themes | 30 | 245 | 104 | 1k+ | Text Domain Mismatch | ||
| #865 | Popularis Extra | 30 | 237 | 141 | 7k+ | Output is not escaped | ||
| #866 | Pre-Orders for WooCommerce | 30 | 568 | 261 | 7k+ | Output is not escaped | ||
| #867 | Rublon Multi-Factor Authentication (MFA) | 30 | 216 | 160 | 400 | Output is not escaped | ||
| #868 | StoreBuild – Online Store Builder for WooCommerce | 30 | 120 | 211 | 600 | Non-prefixed global variable | ||
| #869 | Stackable – Page Builder Gutenberg Blocks | 30 | 482 | 87 | 100k+ | Non Singular String Literal Domain | ||
| #870 | Star Addons for Elementor | 30 | 236 | 255 | 1k+ | Non-prefixed global variable | ||
| #871 | Taboola | 30 | 89 | 147 | 1k+ | Output is not escaped | ||
| #872 | Tabs Responsive – With WooCommerce Product Tabs Extension | 30 | 575 | 255 | 20k+ | Non Singular String Literal Domain | ||
| #873 | Themify Portfolio Post | 30 | 214 | 102 | 30k+ | Text Domain Mismatch | ||
| #874 | Travel Booking Toolkit | 30 | 245 | 324 | 3k+ | Non-prefixed global variable | ||
| #875 | Travelers' Map | 30 | 311 | 155 | 1k+ | Output is not escaped | ||
| #876 | Tutor LMS Divi Modules | 30 | 420 | 722 | 1k+ | Non-prefixed global variable | ||
| #877 | Urvanov Syntax Highlighter | 30 | 221 | 87 | 3k+ | Output is not escaped | ||
| #878 | User Avatar – Reloaded | 30 | 352 | 171 | 900 | Text Domain Mismatch | ||
| #879 | UX Flat | 30 | 539 | 203 | 1k+ | Missing Arg Domain | ||
| #880 | Waitlist Woocommerce ( Back in stock notifier ) | 30 | 272 | 311 | 4k+ | Output is not escaped | ||
| #881 | Dropify | 30 | 132 | 254 | 2k+ | Nonce verification recommended | ||
| #882 | Webling | 30 | 147 | 313 | 500 | Input is not validated | ||
| #883 | Widget Manager Light | 30 | 233 | 83 | 600 | Text Domain Mismatch | ||
| #884 | Widgetize Pages Light | 30 | 145 | 104 | 3k+ | Output is not escaped | ||
| #885 | Delivery & Pickup Date Time for WooCommerce | 30 | 439 | 435 | 5k+ | Non-prefixed global variable | ||
| #886 | WP Admin UI Customize | 30 | 629 | 390 | 30k+ | Non-prefixed global variable | ||
| #887 | WP Docs | 30 | 268 | 271 | 1k+ | Output is not escaped | ||
| #888 | WP Inventory Manager | 30 | 856 | 233 | 1k+ | Output is not escaped | ||
| #889 | WP Restaurant Price List | 30 | 295 | 95 | 500 | Text Domain Mismatch | ||
| #890 | WPS Cleaner | 30 | 430 | 491 | 20k+ | Output is not escaped | ||
| #891 | Yaad Sarig Payment Gateway For WC | 30 | 158 | 271 | 2k+ | Nonce verification recommended | ||
| #892 | zahls.ch Credit Cards, PostFinance and TWINT for WooCommerce | 30 | 121 | 265 | 3k+ | Non-prefixed global variable | ||
| #893 | Advanced Category Excluder | 31 | 349 | 160 | 600 | Output is not escaped | ||
| #894 | All-in-one contact buttons – WPSHARE247 | 31 | 108 | 113 | 4k+ | Non-prefixed global variable | ||
| #895 | Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter | 31 | 57 | 196 | 50k+ | Nonce verification recommended | ||
| #896 | Apaczka.pl WooCommerce | 31 | 99 | 276 | 1k+ | Non-prefixed global variable | ||
| #897 | cformsII | 31 | 777 | 536 | 3k+ | Unsafe printing function | ||
| #898 | Newsletter Sign-Up for CleverReach | 31 | 174 | 72 | 2k+ | Output is not escaped | ||
| #899 | Colorbox Panels & Info Box | 31 | 392 | 182 | 1k+ | Non Singular String Literal Domain | ||
| #900 | Cookie Dough Compliance and Consent for GDPR | 31 | 539 | 452 | 500 | Non Singular String Literal Domain |