WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1001 | Multi Currency For WooCommerce | 32 | 87 | 70 | 1k+ | Non-prefixed global variable | ||
| #1002 | Webdzier Companion | 32 | 539 | 89 | 800 | Text Domain Mismatch | ||
| #1003 | WebwinkelKeur: Webshop keurmerk & reviews for WordPress | 32 | 200 | 47 | 4k+ | Short PHP open tag found | ||
| #1004 | Easy 3D Viewer | 32 | 399 | 241 | 1k+ | Text Domain Mismatch | ||
| #1005 | Payment Gateway for Redsys & WooCommerce Lite | 32 | 125 | 75 | 20k+ | Text Domain Mismatch | ||
| #1006 | WP 2-step verification | 32 | 154 | 65 | 1k+ | Output is not escaped | ||
| #1007 | WP Bannerize Pro | 32 | 281 | 216 | 800 | Text Domain Mismatch | ||
| #1008 | wp-jalali | 32 | 219 | 66 | 10k+ | Text Domain Mismatch | ||
| #1009 | WP Popup | 32 | 539 | 65 | 1k+ | Text Domain Mismatch | ||
| #1010 | WP-Stats | 32 | 237 | 126 | 2k+ | Output is not escaped | ||
| #1011 | wpDirAuth | 32 | 250 | 135 | 500 | wp function not compatible with requires wp | ||
| #1012 | Advanced Custom Fields: Typography Field | 33 | 445 | 57 | 4k+ | Text Domain Mismatch | ||
| #1013 | Advanced Coupons for WooCommerce Coupons & Store Credit | 33 | 84 | 215 | 20k+ | Non-prefixed global variable | ||
| #1014 | Advanced Forms for ACF | 33 | 169 | 278 | 3k+ | Non-prefixed hook name | ||
| #1015 | Archive Posts Sort Customize | 33 | 338 | 97 | 600 | Output is not escaped | ||
| #1016 | Premium Portfolio Features for Phlox theme | 33 | 204 | 137 | 40k+ | Output is not escaped | ||
| #1017 | Awesome Widgets for SiteOrigin Page Builder | 33 | 314 | 59 | 500 | Text Domain Mismatch | ||
| #1018 | Bosta WooCommerce | 33 | 303 | 180 | 700 | Text Domain Mismatch | ||
| #1019 | Activity Plus Reloaded for BuddyPress | 33 | 88 | 93 | 1k+ | Output is not escaped | ||
| #1020 | Five Star Business Profile and Schema | 33 | 289 | 138 | 7k+ | Output is not escaped | ||
| #1021 | Addi – Cuotas que se adaptan a ti | 33 | 106 | 209 | 2k+ | Direct Query | ||
| #1022 | Cargus | 33 | 48 | 64 | 700 | Input is not sanitized | ||
| #1023 | CB Custom Beaver Builder Modules | 33 | 748 | 4 | 1k+ | Output is not escaped | ||
| #1024 | Century ToolKit | 33 | 118 | 78 | 700 | Output is not escaped | ||
| #1025 | Civic Cookie Control | 33 | 1,881 | 219 | 2k+ | Text Domain Mismatch | ||
| #1026 | Clicky Analytics | 33 | 166 | 92 | 10k+ | Output is not escaped | ||
| #1027 | Conekta Payment Gateway | 33 | 240 | 66 | 2k+ | Text Domain Mismatch | ||
| #1028 | Countdown Timer | 33 | 311 | 17 | 900 | Text Domain Mismatch | ||
| #1029 | Easy Timer | 33 | 78 | 450 | 1k+ | Non-prefixed global variable | ||
| #1030 | Easy Upload Files During Checkout | 33 | 218 | 199 | 500 | Unsafe printing function | ||
| #1031 | Human Presence – Stop Form Spam Without ReCaptcha | 33 | 54 | 65 | 1k+ | Request data is not unslashed | ||
| #1032 | Five Star Restaurant Reviews | 33 | 242 | 142 | 400 | Output is not escaped | ||
| #1033 | Comments – GraphComment | AI-Moderated Comment System | 33 | 191 | 177 | 400 | Unsafe printing function | ||
| #1034 | Gravity Forms Eway | 33 | 519 | 45 | 500 | Missing Translators Comment | ||
| #1035 | GSheetConnector for Forminator Forms | 33 | 128 | 201 | 1k+ | Non-prefixed global variable | ||
| #1036 | Mentions légales [FR] | 33 | 238 | 48 | 2k+ | Text Domain Mismatch | ||
| #1037 | HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce | 33 | 377 | 139 | 20k+ | Unsafe printing function | ||
| #1038 | Flipbox – Awesomes Flip Boxes Image Overlay | 33 | 400 | 7,279 | 10k+ | Input is not validated | ||
| #1039 | InPost Gallery | 33 | 105 | 245 | 700 | Non-prefixed global variable | ||
| #1040 | WPZOOM Social Feed Widget & Block | 33 | 310 | 278 | 60k+ | Unsafe printing function | ||
| #1041 | Intagrate Lite | 33 | 94 | 152 | 4k+ | date date | ||
| #1042 | ITRO Popup Plugin | 33 | 591 | 135 | 6k+ | Output is not escaped | ||
| #1043 | jQuery Manager for WordPress | 33 | 86 | 24 | 7k+ | Output is not escaped | ||
| #1044 | LWSCache | 33 | 47 | 104 | 6k+ | Non-prefixed global variable | ||
| #1045 | MailUp for WordPress – Email and Newsletter Subscription Form | 33 | 251 | 100 | 2k+ | Text Domain Mismatch | ||
| #1046 | MAS Companies For WP Job Manager | 33 | 62 | 308 | 1k+ | Non-prefixed hook name | ||
| #1047 | More Types | 33 | 227 | 198 | 800 | Non-prefixed global variable | ||
| #1048 | News Announcement Scroll | 33 | 237 | 259 | 2k+ | Non-prefixed global variable | ||
| #1049 | GDPR CCPA Compliance & Cookie Consent Banner | 33 | 622 | 87 | 1k+ | Non Singular String Literal Domain | ||
| #1050 | Nomad World Map | 33 | 424 | 191 | 700 | Text Domain Mismatch |