WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #951 | Arile Super | 32 | 328 | 351 | 3k+ | Non-prefixed global variable | ||
| #952 | Author Avatars List/Block | 32 | 85 | 135 | 4k+ | Non-prefixed hook name | ||
| #953 | Avadanta Companion | 32 | 1,318 | 54 | 2k+ | Text Domain Mismatch | ||
| #954 | Speed Kit | 32 | 296 | 73 | 2k+ | Output is not escaped | ||
| #955 | BP Classic | 32 | 664 | 216 | 6k+ | Unsafe printing function | ||
| #956 | BuddyPress for LearnDash | 32 | 190 | 284 | 1k+ | Output is not escaped | ||
| #957 | Child Theme Configurator | 32 | 442 | 267 | 300k+ | Unsafe printing function | ||
| #958 | Code Manager | 32 | 217 | 261 | 500 | Nonce verification recommended | ||
| #959 | Vimeotheque – Vimeo WordPress Plugin & Video Gallery | 32 | 642 | 264 | 2k+ | Unsafe printing function | ||
| #960 | Color and Image Swatches for Variable Product Attributes | 32 | 173 | 111 | 1k+ | Output is not escaped | ||
| #961 | Ultimate WooCommerce Filters | 32 | 322 | 207 | 600 | Unsafe printing function | ||
| #962 | Contact Form Builder by vcita | 32 | 666 | 174 | 700 | Text Domain Mismatch | ||
| #963 | Cooked – Recipe Management | 32 | 462 | 275 | 3k+ | Output is not escaped | ||
| #964 | CSV Import and Exporter | 32 | 83 | 138 | 1k+ | Non-prefixed global variable | ||
| #965 | Currency Switcher for WooCommerce | 32 | 357 | 263 | 10k+ | Text Domain Mismatch | ||
| #966 | DHL eCommerce (Benelux) for WooCommerce | 32 | 222 | 330 | 2k+ | Nonce verification recommended | ||
| #967 | AC's Loan Calculator | 32 | 246 | 187 | 400 | Unsafe printing function | ||
| #968 | FA Lite – WP responsive slider plugin | 32 | 726 | 140 | 500 | Unsafe printing function | ||
| #969 | WP Gravity Forms HubSpot | 32 | 771 | 160 | 600 | Text Domain Mismatch | ||
| #970 | GlotPress | 32 | 403 | 103 | 500 | Unsafe printing function | ||
| #971 | GSheetConnector For Ninja Forms | 32 | 165 | 93 | 1k+ | Unsafe printing function | ||
| #972 | Gwolle Guestbook | 32 | 269 | 527 | 20k+ | Output is not escaped | ||
| #973 | HTML5 jQuery Audio Player | 32 | 251 | 153 | 1k+ | Unsafe printing function | ||
| #974 | Image Slider Slideshow | 32 | 409 | 171 | 2k+ | Text Domain Mismatch | ||
| #975 | Juiz Last Tweet Widget | 32 | 136 | 53 | 500 | Output is not escaped | ||
| #976 | Manager for IcoMoon | 32 | 270 | 68 | 400 | Short PHP open tag found | ||
| #977 | MapPress Maps for WordPress | 32 | 695 | 133 | 30k+ | Missing Arg Domain | ||
| #978 | Members – Membership & User Role Editor Plugin | 32 | 233 | 259 | 300k+ | Output is not escaped | ||
| #979 | MetaSlider Gallery – Image Gallery, Lightbox Galleries, Modal Windows | 32 | 159 | 62 | 10k+ | Output is not escaped | ||
| #980 | WP Mobile Menu – The Mobile-Friendly Responsive Menu | 32 | 990 | 195 | 70k+ | Output is not escaped | ||
| #981 | Moyasar | 32 | 539 | 221 | 700 | Text Domain Mismatch | ||
| #982 | Opal Mega Menu | 32 | 419 | 119 | 400 | Text Domain Mismatch | ||
| #983 | DEPRECATED – Shipmondo – A complete shipping solution for WooCommerce | 32 | 166 | 119 | 5k+ | Output is not escaped | ||
| #984 | Barion Payment Gateway for WooCommerce | 32 | 67 | 152 | 6k+ | Non-prefixed global variable | ||
| #985 | Autopay dla WooCommerce | 32 | 95 | 83 | 900 | Output is not escaped | ||
| #986 | PilotPress | 32 | 150 | 285 | 900 | Output is not escaped | ||
| #987 | Post and Page Builder by BoldGrid – Visual Drag and Drop Editor | 32 | 348 | 258 | 50k+ | Output is not escaped | ||
| #988 | Posti Shipping | 32 | 664 | 157 | 1k+ | Text Domain Mismatch | ||
| #989 | Volunteer Sign Up Sheets | 32 | 967 | 401 | 1k+ | Output is not escaped | ||
| #990 | Quick Featured Images | 32 | 436 | 323 | 50k+ | Non-prefixed global variable | ||
| #991 | Responsive Filterable Portfolio Gallery – Media Grid & Video Portfolio | 32 | 436 | 163 | 1k+ | Output is not escaped | ||
| #992 | Restrict Usernames Emails Characters | 32 | 327 | 367 | 1k+ | Output is not escaped | ||
| #993 | RSS for Yandex Turbo | 32 | 687 | 307 | 20k+ | Unsafe printing function | ||
| #994 | Simple Ajax Chat – Add a Fast, Secure Chat Box | 32 | 108 | 266 | 2k+ | Output is not escaped | ||
| #995 | Spoki – Chat Buttons and WooCommerce Notifications | 32 | 1,074 | 260 | 700 | Unsafe printing function | ||
| #996 | Stock Locations for WooCommerce | 32 | 549 | 360 | 1k+ | Output is not escaped | ||
| #997 | Stock Sync for WooCommerce | 32 | 362 | 232 | 1k+ | Text Domain Mismatch | ||
| #998 | Tainacan Support for Blocksy | 32 | 244 | 526 | 500 | Non-prefixed global variable | ||
| #999 | Theme My Login | 32 | 251 | 549 | 60k+ | Non-prefixed function | ||
| #1000 | Unbounce Landing Pages | 32 | 169 | 86 | 10k+ | Output is not escaped |