WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#51bbPress219293,672100k+Non-prefixed function
#52Booking Ultra Pro Appointments Booking Calendar Plugin217612,083400Request data is not unslashed
#53CallTrackingMetrics219232863k+Unsafe printing function
#54Captcha Them All213003236k+Output is not escaped
#55SMS Extension for Contact Form 7217201,387400Non-prefixed global variable
#56Free Downloads WooCommerce214303594k+Output is not escaped
#57Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More212,5721,2771m+Output is not escaped
#58Ebook Store216661,087700Non-prefixed global variable
#59Envo Extra2187860020k+Text Domain Mismatch
#60eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams211864379k+Non-prefixed global variable
#61Eupago Gateway For Woocommerce216123202k+Output is not escaped
#62FACTO – Facturación Electrónica21220245400Request data is not unslashed
#63Feeds for YouTube (YouTube video, channel, and gallery plugin)21558978100k+Output is not escaped
#64Campaign Monitor for WordPress213864612k+Non-prefixed global variable
#65Front End Users217192,759400Non-prefixed global variable
#66Frontend Dashboard21384945500Non-prefixed function
#67If-So Dynamic Content – Elementor & All Page Builders Personalization218897257k+Unsafe printing function
#68JCH Optimize219531334k+Output is not escaped
#69MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder211,1333,0112k+Non-prefixed global variable
#70Mapster WP Maps213,4402,9033k+Text Domain Mismatch
#71Mergado Pack212,323588700Output is not escaped
#72Mooberry Book Manager211,0403991k+Text Domain Mismatch
#73Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred211,4693,33310k+Non-prefixed global variable
#74Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages211,1732,9839k+Non-prefixed global variable
#75Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction211,9185,06510k+Non-prefixed hook name
#76PublishPress Planner – Editorial Calendar, Marketing Content, Kanban Board216038906k+Output is not escaped
#77Five Star Restaurant Reservations – WordPress Booking Plugin211,0991,14710k+Output is not escaped
#78Rocket Maintenance Mode & Coming Soon Page211,1761,4064k+Non-prefixed global variable
#79Royal Addons for Elementor – Addons and Templates Kit for Elementor2113,0112,530600k+Text Domain Mismatch
#80Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic2132718110k+Output is not escaped
#81Accept Stripe Payments2137388220k+Missing nonce verification
#82Testerwp ecommerce companion218114361k+Text Domain Mismatch
#83ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin2119066030k+Non-prefixed global variable
#84Revive Social – Social Media Auto Post and Scheduling Automation Plugin2125542520k+Non-prefixed hook name
#85IS-theme-companion213,5595111k+Non Singular String Literal Domain
#86Pay For Post with WooCommerce219601,4741k+Non-prefixed global variable
#87PPOM – Product Addons & Custom Fields for WooCommerce213361,32220k+Non-prefixed global variable
#88Wordfence Security – Firewall, Malware Scan, and Login Security211,5922,9735m+Output is not escaped
#89WP-Lister Lite for eBay216,6975,1292k+Output is not escaped
#90WP phpMyAdmin214,5286,43550k+Missing Arg Domain
#91wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin211,8111,43270k+Output is not escaped
#92Premium Packages – Sell Digital Products Securely212,7652,4443k+Output is not escaped
#93WP Extended – The Ultimate WordPress Toolkit211,253398600Non Singular String Literal Domain
#94WPScan – WordPress Security Scanner215272658k+Text Domain Mismatch
#9512 Step Meeting List22156593900Non-prefixed global variable
#96Frontend Admin by DynamiApps225,9223,20810k+Text Domain Mismatch
#97Advanced Classifieds & Directory Pro221,2293,5112k+Non-prefixed global variable
#98Advanced Form Integration — Connect Forms to 200+ Apps225,7714,67810k+wp function not compatible with requires wp
#99Ajax Load More – Infinite Scroll, Load More, & Lazy Load2264159540k+Unsafe printing function
#100All-in-One Video Gallery229112,89220k+Non-prefixed global variable