WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1101AGCA – Custom Dashboard & Login Page343504420k+Unsafe printing function
#1102All In One Favicon342146260k+Output is not escaped
#1103Arconix Shortcodes341291084k+Output is not escaped
#1104Assistant – Every Day Productivity Apps34124974k+Exception output is not escaped
#1105Audit Trail349010710k+Unsafe printing function
#1106AyeCode Connect3417825310k+Nonce verification recommended
#1107Beeketing for WooCommerce – Marketing Automation to Boost Sales34113123600SQL query is not prepared
#1108Blog-in-Blog346493800Non-prefixed function
#1109Buckets346876500Output is not escaped
#1110Cache Master3437127400Output is not escaped
#1111Clean Testimonials3412787400Output is not escaped
#1112CM Search And Replace – Optimize content edits with a powerful search and replace tool342861112k+Output is not escaped
#1113Cornerstone3416117430k+Nonce verification recommended
#1114CSS JS Manager, Async JavaScript, Defer Render Blocking CSS34761061k+Input is not validated
#1115Custom Login Page by SeedProd34330125500Output is not escaped
#1116Custom Post Type Attachment3415349800wp function not compatible with requires wp
#1117Datafeedr API34307486k+Output is not escaped
#1118DD Last Viewed34193132500Output is not escaped
#1119Debug Log Manager Tool34441433k+Nonce verification recommended
#1120Dr. Flex3483511k+Output is not escaped
#1121Edit Flow341032274k+Non-prefixed hook name
#1122Enhanced Text Widget341015830k+Output is not escaped
#1123Event Calendar Newsletter3496167600Non-prefixed hook name
#1124Event Post34329991k+Output is not escaped
#1125Evento34583601k+Text Domain Mismatch
#1126Export Customers Data3410949500Text Domain Mismatch
#1127Profile Box Shortcode And Widget344881381k+Output is not escaped
#1128Fancy Comments WordPress34359392k+Unsafe printing function
#1129Flash Toolkit3415824210k+Non-prefixed global variable
#1130Weight Based Shipping Table Rate for WooCommerce – Flexible Shipping34124156100k+Nonce verification recommended
#1131Forms: 3rd-Party Integration342341125k+Output is not escaped
#1132Garden Gnome Package34116514k+Text Domain Mismatch
#1133Geolocation IP Detection3422716720k+Output is not escaped
#1134Gitium3414957400Output is not escaped
#1135APG Google Video Sitemap Feed349645800Output is not escaped
#1136Signature Add-On for Gravity Forms34161481k+Text Domain Mismatch
#1137Hide Price Until Login341871152k+Non Singular String Literal Domain
#1138Hitsteps Web Analytics34370313800Output is not escaped
#1139HollerBox — Fast & Effective Popups & Lead-Generation3478922k+Output is not escaped
#1140Image Cleanup3452941k+Nonce verification recommended
#1141HTML Import 234273265k+Unsafe printing function
#1142Import XML and RSS Feeds34260852k+Unsafe printing function
#1143JS Archive List3499313k+Output is not escaped
#1144Kadence WooCommerce Email Designer34119230100k+Non-prefixed global variable
#1145Lenix Leads Collector3441424210k+Text Domain Mismatch
#1146Login with Vipps and MobilePay34263174900Output is not escaped
#1147Mailmunch Forms for Mailchimp341205310k+Output is not escaped
#1148MantraBrain Starter Sites | MantraBrain Theme Demo Importer34117611k+Output is not escaped
#1149Media Vault34115150800Output is not escaped
#1150Meow Lightbox34775210k+Non Singular String Literal Domain