WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#951Arile Super323283513k+Non-prefixed global variable
#952Author Avatars List/Block32851354k+Non-prefixed hook name
#953Avadanta Companion321,318542k+Text Domain Mismatch
#954Speed Kit32296732k+Output is not escaped
#955BP Classic326642166k+Unsafe printing function
#956BuddyPress for LearnDash321902841k+Output is not escaped
#957Child Theme Configurator32442267300k+Unsafe printing function
#958Code Manager32217261500Nonce verification recommended
#959Vimeotheque – Vimeo WordPress Plugin & Video Gallery326422642k+Unsafe printing function
#960Color and Image Swatches for Variable Product Attributes321731111k+Output is not escaped
#961Ultimate WooCommerce Filters32322207600Unsafe printing function
#962Contact Form Builder by vcita32666174700Text Domain Mismatch
#963Cooked – Recipe Management324622753k+Output is not escaped
#964CSV Import and Exporter32831381k+Non-prefixed global variable
#965Currency Switcher for WooCommerce3235726310k+Text Domain Mismatch
#966DHL eCommerce (Benelux) for WooCommerce322223302k+Nonce verification recommended
#967AC's Loan Calculator32246187400Unsafe printing function
#968FA Lite – WP responsive slider plugin32726140500Unsafe printing function
#969WP Gravity Forms HubSpot32771160600Text Domain Mismatch
#970GlotPress32403103500Unsafe printing function
#971GSheetConnector For Ninja Forms32165931k+Unsafe printing function
#972Gwolle Guestbook3226952720k+Output is not escaped
#973HTML5 jQuery Audio Player322511531k+Unsafe printing function
#974Image Slider Slideshow324091712k+Text Domain Mismatch
#975Juiz Last Tweet Widget3213653500Output is not escaped
#976Manager for IcoMoon3227068400Short PHP open tag found
#977MapPress Maps for WordPress3269513330k+Missing Arg Domain
#978Members – Membership & User Role Editor Plugin32233259300k+Output is not escaped
#979MetaSlider Gallery – Image Gallery, Lightbox Galleries, Modal Windows321596210k+Output is not escaped
#980WP Mobile Menu – The Mobile-Friendly Responsive Menu3299019570k+Output is not escaped
#981Moyasar32539221700Text Domain Mismatch
#982Opal Mega Menu32419119400Text Domain Mismatch
#983DEPRECATED – Shipmondo – A complete shipping solution for WooCommerce321661195k+Output is not escaped
#984Barion Payment Gateway for WooCommerce32671526k+Non-prefixed global variable
#985Autopay dla WooCommerce329583900Output is not escaped
#986PilotPress32150285900Output is not escaped
#987Post and Page Builder by BoldGrid – Visual Drag and Drop Editor3234825850k+Output is not escaped
#988Posti Shipping326641571k+Text Domain Mismatch
#989Volunteer Sign Up Sheets329674011k+Output is not escaped
#990Quick Featured Images3243632350k+Non-prefixed global variable
#991Responsive Filterable Portfolio Gallery – Media Grid & Video Portfolio324361631k+Output is not escaped
#992Restrict Usernames Emails Characters323273671k+Output is not escaped
#993RSS for Yandex Turbo3268730720k+Unsafe printing function
#994Simple Ajax Chat – Add a Fast, Secure Chat Box321082662k+Output is not escaped
#995Spoki – Chat Buttons and WooCommerce Notifications321,074260700Unsafe printing function
#996Stock Locations for WooCommerce325493601k+Output is not escaped
#997Stock Sync for WooCommerce323622321k+Text Domain Mismatch
#998Tainacan Support for Blocksy32244526500Non-prefixed global variable
#999Theme My Login3225154960k+Non-prefixed function
#1000Unbounce Landing Pages321698610k+Output is not escaped