WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #901 | Copy Anything to Clipboard for WordPress – Copy Button, Copy Text & Copy Code | 31 | 525 | 131 | 10k+ | Text Domain Mismatch | ||
| #902 | Counter Number Showcase, Fun Facts – WordPress Animated Counter Plugin | 31 | 255 | 170 | 10k+ | Non Singular String Literal Domain | ||
| #903 | Theme Demo Importer and Patterns Library for CozyThemes – Cozy Essential Addons | 31 | 393 | 329 | 6k+ | Missing direct file access protection | ||
| #904 | Crowdfundly | 31 | 594 | 402 | 500 | Output is not escaped | ||
| #905 | DirectoryPress Frontend | 31 | 402 | 563 | 800 | Non-prefixed global variable | ||
| #906 | EnvoThemes Demo Import | 31 | 221 | 140 | 3k+ | Output is not escaped | ||
| #907 | Express Checkout via PayPal for WooCommerce | 31 | 158 | 200 | 800 | Nonce verification recommended | ||
| #908 | g-FFL Checkout | 31 | 249 | 300 | 600 | Request data is not unslashed | ||
| #909 | Gabfire Widget Pack | 31 | 1,041 | 60 | 600 | Output is not escaped | ||
| #910 | GS Pinterest Portfolio – Pins Grid, Masonry, User Profile, Popup & Board Widgets | 31 | 402 | 156 | 1k+ | Text Domain Mismatch | ||
| #911 | OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. | 31 | 213 | 62 | 300k+ | Output is not escaped | ||
| #912 | Keywords to Links Converter | 31 | 288 | 144 | 700 | Text Domain Mismatch | ||
| #913 | Login rebuilder | 31 | 406 | 226 | 20k+ | Non Singular String Literal Domain | ||
| #914 | LWS Tools | 31 | 104 | 134 | 10k+ | Request data is not unslashed | ||
| #915 | Mailgun for WordPress | 31 | 144 | 75 | 80k+ | Unsafe printing function | ||
| #916 | Openpay Stores Plugin | 31 | 121 | 75 | 1k+ | Non-prefixed global variable | ||
| #917 | Patreon WordPress | 31 | 276 | 339 | 3k+ | Output is not escaped | ||
| #918 | PayKeeper Payment Gateway for WooCommerce | 31 | 113 | 44 | 500 | Non Singular String Literal Domain | ||
| #919 | Podamibe Simple Footer Widget Area | 31 | 596 | 57 | 2k+ | wp function not compatible with requires wp | ||
| #920 | Pop-up | 31 | 103 | 91 | 10k+ | Output is not escaped | ||
| #921 | Post Pay Counter | 31 | 639 | 238 | 1k+ | Output is not escaped | ||
| #922 | Active Products Tables for WooCommerce. Use constructor to create tables | 31 | 364 | 424 | 1k+ | Output is not escaped | ||
| #923 | Re:amaze Helpdesk & Live Chat | 31 | 96 | 115 | 400 | Output is not escaped | ||
| #924 | Accordion FAQ – Compatible With All Page Builder (Elementor, Gutenberg) | 31 | 460 | 201 | 30k+ | Non Singular String Literal Domain | ||
| #925 | Coming Soon Page & Maintenance Mode | 31 | 613 | 266 | 3k+ | Text Domain Mismatch | ||
| #926 | Social Share Buttons | 31 | 462 | 156 | 1k+ | Text Domain Mismatch | ||
| #927 | Sidebar Manager Light | 31 | 221 | 76 | 1k+ | Text Domain Mismatch | ||
| #928 | Staatic – Static Site Generator for WordPress | 31 | 420 | 195 | 2k+ | SQL query is not prepared | ||
| #929 | Team Builder – Team Member Showcase With Grid and slider, Compatible With Elementor, Gutenberg | 31 | 459 | 282 | 7k+ | Non Singular String Literal Domain | ||
| #930 | Themify Store Locator | 31 | 244 | 125 | 500 | Text Domain Mismatch | ||
| #931 | Tutor LMS Elementor Addons | 31 | 227 | 453 | 30k+ | Non-prefixed global variable | ||
| #932 | Big File Uploads – Increase Maximum File Upload Size | 31 | 101 | 92 | 100k+ | Output is not escaped | ||
| #933 | Ultimate Posts Widget | 31 | 309 | 86 | 10k+ | Output is not escaped | ||
| #934 | User Spam Remover | 31 | 115 | 14 | 1k+ | Output is not escaped | ||
| #935 | Web Push Notifications – Webpushr | 31 | 169 | 293 | 10k+ | Output is not escaped | ||
| #936 | Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets | 31 | 837 | 295 | 100k+ | Unsafe printing function | ||
| #937 | WCPOS – Point of Sale (POS) plugin for WooCommerce | 31 | 75 | 226 | 5k+ | Nonce verification recommended | ||
| #938 | Worldline Global Online Pay for WooCommerce | 31 | 160 | 86 | 500 | Missing direct file access protection | ||
| #939 | Discussion Board – WordPress Forum Plugin | 31 | 105 | 153 | 2k+ | Request data is not unslashed | ||
| #940 | WP Easy Uploader | 31 | 202 | 113 | 600 | Non Singular String Literal Domain | ||
| #941 | WP Simple Booking Calendar | 31 | 337 | 380 | 20k+ | Output is not escaped | ||
| #942 | WP Visitor Statistics (Real Time Traffic) | 31 | 353 | 691 | 20k+ | Nonce verification recommended | ||
| #943 | WP125 | 31 | 178 | 184 | 3k+ | Unsafe printing function | ||
| #944 | WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA | 31 | 483 | 217 | 2k+ | Unsafe printing function | ||
| #945 | Zendesk Support for WordPress | 31 | 195 | 88 | 2k+ | Output is not escaped | ||
| #946 | ACME Divi Modules | 32 | 573 | 35 | 400 | Text Domain Mismatch | ||
| #947 | Admin Menu Editor | 32 | 159 | 233 | 300k+ | Non-prefixed global variable | ||
| #948 | Affiliate Coupons – Coupon Display Manager – Excellent Tool for Affiliate Marketers | 32 | 183 | 61 | 1k+ | Output is not escaped | ||
| #949 | AI Alt Text Generator | 32 | 76 | 24 | 1k+ | Missing Translators Comment | ||
| #950 | Aqua Page Builder | 32 | 320 | 114 | 3k+ | Output is not escaped |