WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#901Copy Anything to Clipboard for WordPress – Copy Button, Copy Text & Copy Code3152513110k+Text Domain Mismatch
#902Counter Number Showcase, Fun Facts – WordPress Animated Counter Plugin3125517010k+Non Singular String Literal Domain
#903Theme Demo Importer and Patterns Library for CozyThemes – Cozy Essential Addons313933296k+Missing direct file access protection
#904Crowdfundly31594402500Output is not escaped
#905DirectoryPress Frontend31402563800Non-prefixed global variable
#906EnvoThemes Demo Import312211403k+Output is not escaped
#907Express Checkout via PayPal for WooCommerce31158200800Nonce verification recommended
#908g-FFL Checkout31249300600Request data is not unslashed
#909Gabfire Widget Pack311,04160600Output is not escaped
#910GS Pinterest Portfolio – Pins Grid, Masonry, User Profile, Popup & Board Widgets314021561k+Text Domain Mismatch
#911OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.3121362300k+Output is not escaped
#912Keywords to Links Converter31288144700Text Domain Mismatch
#913Login rebuilder3140622620k+Non Singular String Literal Domain
#914LWS Tools3110413410k+Request data is not unslashed
#915Mailgun for WordPress311447580k+Unsafe printing function
#916Openpay Stores Plugin31121751k+Non-prefixed global variable
#917Patreon WordPress312763393k+Output is not escaped
#918PayKeeper Payment Gateway for WooCommerce3111344500Non Singular String Literal Domain
#919Podamibe Simple Footer Widget Area31596572k+wp function not compatible with requires wp
#920Pop-up311039110k+Output is not escaped
#921Post Pay Counter316392381k+Output is not escaped
#922Active Products Tables for WooCommerce. Use constructor to create tables313644241k+Output is not escaped
#923Re:amaze Helpdesk & Live Chat3196115400Output is not escaped
#924Accordion FAQ – Compatible With All Page Builder (Elementor, Gutenberg)3146020130k+Non Singular String Literal Domain
#925Coming Soon Page & Maintenance Mode316132663k+Text Domain Mismatch
#926Social Share Buttons314621561k+Text Domain Mismatch
#927Sidebar Manager Light31221761k+Text Domain Mismatch
#928Staatic – Static Site Generator for WordPress314201952k+SQL query is not prepared
#929Team Builder – Team Member Showcase With Grid and slider, Compatible With Elementor, Gutenberg314592827k+Non Singular String Literal Domain
#930Themify Store Locator31244125500Text Domain Mismatch
#931Tutor LMS Elementor Addons3122745330k+Non-prefixed global variable
#932Big File Uploads – Increase Maximum File Upload Size3110192100k+Output is not escaped
#933Ultimate Posts Widget313098610k+Output is not escaped
#934User Spam Remover31115141k+Output is not escaped
#935Web Push Notifications – Webpushr3116929310k+Output is not escaped
#936Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets31837295100k+Unsafe printing function
#937WCPOS – Point of Sale (POS) plugin for WooCommerce31752265k+Nonce verification recommended
#938Worldline Global Online Pay for WooCommerce3116086500Missing direct file access protection
#939Discussion Board – WordPress Forum Plugin311051532k+Request data is not unslashed
#940WP Easy Uploader31202113600Non Singular String Literal Domain
#941WP Simple Booking Calendar3133738020k+Output is not escaped
#942WP Visitor Statistics (Real Time Traffic)3135369120k+Nonce verification recommended
#943WP125311781843k+Unsafe printing function
#944WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA314832172k+Unsafe printing function
#945Zendesk Support for WordPress31195882k+Output is not escaped
#946ACME Divi Modules3257335400Text Domain Mismatch
#947Admin Menu Editor32159233300k+Non-prefixed global variable
#948Affiliate Coupons – Coupon Display Manager – Excellent Tool for Affiliate Marketers32183611k+Output is not escaped
#949AI Alt Text Generator3276241k+Missing Translators Comment
#950Aqua Page Builder323201143k+Output is not escaped