WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1051 | Offen | 33 | 313 | 115 | 500 | Output is not escaped | ||
| #1052 | Pastacode | 33 | 77 | 66 | 400 | Non-prefixed global variable | ||
| #1053 | PeproDev WooCommerce Receipt Uploader | 33 | 325 | 49 | 1k+ | Non Singular String Literal Domain | ||
| #1054 | Plugin Organizer | 33 | 325 | 257 | 10k+ | Output is not escaped | ||
| #1055 | Post Lists View Custom | 33 | 462 | 150 | 2k+ | Missing Arg Domain | ||
| #1056 | PW WooCommerce Gift Cards | 33 | 238 | 186 | 20k+ | Output is not escaped | ||
| #1057 | QNAP NAS Backup | 33 | 374 | 70 | 2k+ | Non Singular String Literal Domain | ||
| #1058 | Quick Restaurant Reservations | 33 | 654 | 179 | 500 | Text Domain Mismatch | ||
| #1059 | Frisbii Pay | 33 | 91 | 292 | 1k+ | Non-prefixed global variable | ||
| #1060 | Review Slider for WooCommerce | 33 | 160 | 422 | 400 | Non-prefixed global variable | ||
| #1061 | Reviews Plus | 33 | 223 | 378 | 1k+ | Non-prefixed function | ||
| #1062 | RSS Feed Pro | 33 | 484 | 16 | 500 | Output is not escaped | ||
| #1063 | Live Sales Notification (Recent Sales Popups) | 33 | 114 | 120 | 400 | SQL query is not prepared | ||
| #1064 | Service Box – Icon Box Showcase | 33 | 385 | 230 | 3k+ | Non Singular String Literal Domain | ||
| #1065 | SMTP2GO for WordPress – Email Made Easy | 33 | 186 | 111 | 30k+ | Output is not escaped | ||
| #1066 | Social Rocket – Social Sharing Plugin | 33 | 1,016 | 255 | 1k+ | Unsafe printing function | ||
| #1067 | Spiffy Calendar | 33 | 473 | 243 | 3k+ | Output is not escaped | ||
| #1068 | Spin Wheel – Interactive spinning wheel that offers coupons | 33 | 680 | 313 | 500 | Unsafe printing function | ||
| #1069 | Simple Sticky Add To Cart For WooCommerce | 33 | 401 | 70 | 900 | Text Domain Mismatch | ||
| #1070 | Sublanguage | 33 | 266 | 287 | 700 | Output is not escaped | ||
| #1071 | Telegram Bot & Channel | 33 | 182 | 113 | 600 | Unsafe printing function | ||
| #1072 | TP Education | 33 | 186 | 303 | 800 | Unsafe printing function | ||
| #1073 | TrackingMore Order Tracking for WooCommerce (Free plan available) | 33 | 94 | 124 | 700 | Text Domain Mismatch | ||
| #1074 | WP Twitter Auto Publish | 33 | 442 | 171 | 4k+ | Output is not escaped | ||
| #1075 | Uix Shortcodes | 33 | 246 | 444 | 400 | Non-prefixed global variable | ||
| #1076 | Variation Swatches for WooCommerce | 33 | 469 | 116 | 50k+ | Text Domain Mismatch | ||
| #1077 | Multi-Carrier EasyPost Shipping Methods & Address Validation for WooCommerce | 33 | 424 | 69 | 400 | Non Singular String Literal Domain | ||
| #1078 | Multi-Carrier Shippo Shipping Rates & Address Validation for WooCommerce | 33 | 411 | 73 | 3k+ | Non Singular String Literal Domain | ||
| #1079 | Webmention | 33 | 64 | 89 | 900 | Output is not escaped | ||
| #1080 | Textmetrics | 33 | 324 | 163 | 400 | Output is not escaped | ||
| #1081 | White Label CMS | 33 | 412 | 202 | 200k+ | Unsafe printing function | ||
| #1082 | Wonder Slider Lite | 33 | 273 | 187 | 8k+ | Output is not escaped | ||
| #1083 | Product Addons for Woocommerce – Product Options with Custom Fields | 33 | 124 | 114 | 30k+ | Output is not escaped | ||
| #1084 | Hyyan WooCommerce Polylang Integration | 33 | 141 | 220 | 8k+ | Nonce verification recommended | ||
| #1085 | CartBounty – Save and recover abandoned carts for WooCommerce | 33 | 370 | 399 | 10k+ | Output is not escaped | ||
| #1086 | PDF Invoices Italian Add-on for WooCommerce | 33 | 325 | 200 | 5k+ | Non Singular String Literal Domain | ||
| #1087 | WOW Slider | 33 | 176 | 101 | 3k+ | Output is not escaped | ||
| #1088 | Books Gallery – Book Showcase, Library & Affiliate Plugin | 33 | 1,753 | 178 | 2k+ | Output is not escaped | ||
| #1089 | WP Edit | 33 | 337 | 137 | 40k+ | Unsafe printing function | ||
| #1090 | WP EXtra – One Click Optimize | 33 | 414 | 101 | 7k+ | Missing Arg Domain | ||
| #1091 | WP Social AutoConnect | 33 | 290 | 144 | 400 | Output is not escaped | ||
| #1092 | EasyMedia – Increase Media Upload File Size | Role-Based Upload Limit | Increase Execution Time | 33 | 82 | 138 | 70k+ | Non-prefixed global variable | ||
| #1093 | WP Theme Optimizer | 33 | 388 | 80 | 400 | Output is not escaped | ||
| #1094 | WP-UserOnline | 33 | 111 | 161 | 10k+ | Output is not escaped | ||
| #1095 | Editor Blocks by Download Manager | 33 | 174 | 102 | 5k+ | Output is not escaped | ||
| #1096 | WPoperation Elementor Addons | 33 | 891 | 52 | 1k+ | Text Domain Mismatch | ||
| #1097 | Video Gallery – YouTube Playlist, Channel Gallery by YotuWP | 33 | 278 | 101 | 20k+ | Missing Arg Domain | ||
| #1098 | Zita Site Library for Elementor | 33 | 107 | 135 | 1k+ | Text Domain Mismatch | ||
| #1099 | Advanced Shipping Validation for WooCommerce | 34 | 331 | 127 | 400 | Text Domain Mismatch | ||
| #1100 | Advanced Twenty Seventeen | 34 | 247 | 98 | 3k+ | Text Domain Mismatch |