WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1151 | OTP Login & Register Woocommerce | 34 | 148 | 202 | 1k+ | Missing nonce verification | ||
| #1152 | MPL-Publisher — Ebook & Audiobook Creator | 34 | 489 | 76 | 800 | Text Domain Mismatch | ||
| #1153 | Multi Step Form | 34 | 277 | 139 | 9k+ | Output is not escaped | ||
| #1154 | My Tickets – Accessible Event Ticketing | 34 | 314 | 566 | 700 | Nonce verification recommended | ||
| #1155 | NextGEN Gallery Optimizer | 34 | 128 | 92 | 2k+ | Output is not escaped | ||
| #1156 | One User Avatar | User Profile Picture | 34 | 68 | 190 | 100k+ | Non-prefixed global variable | ||
| #1157 | Openpay SPEI Plugin | 34 | 112 | 14 | 1k+ | Exception output is not escaped | ||
| #1158 | Child Theme Creator by Orbisius | 34 | 86 | 39 | 10k+ | Output is not escaped | ||
| #1159 | OwnerRez | 34 | 79 | 56 | 700 | Unsafe printing function | ||
| #1160 | MW Font Changer | 34 | 463 | 75 | 7k+ | Text Domain Mismatch | ||
| #1161 | Podigee WordPress Quick Publish – now with Gutenberg support! | 34 | 108 | 95 | 700 | Text Domain Mismatch | ||
| #1162 | Progress Bar & Skill Bar | 34 | 175 | 179 | 1k+ | Non Singular String Literal Domain | ||
| #1163 | PW WooCommerce Bulk Edit | 34 | 219 | 149 | 20k+ | Unsafe printing function | ||
| #1164 | RaraTheme Companion | 34 | 430 | 71 | 10k+ | Output is not escaped | ||
| #1165 | Saphali Woocommerce Lite | 34 | 376 | 313 | 10k+ | Non-prefixed global variable | ||
| #1166 | Search Engine Insights for Google Search Console | 34 | 174 | 113 | 2k+ | Output is not escaped | ||
| #1167 | Search Meter | 34 | 191 | 94 | 20k+ | Output is not escaped | ||
| #1168 | Seriously Simple Stats | 34 | 99 | 126 | 5k+ | Output is not escaped | ||
| #1169 | Shift8 CDN | 34 | 81 | 25 | 600 | Output is not escaped | ||
| #1170 | Subscribe to Download Lite – Email Before Download Plugin | 34 | 106 | 157 | 400 | Non-prefixed global variable | ||
| #1171 | Swiftype Site Search Plugin for WordPress | 34 | 250 | 50 | 400 | Output is not escaped | ||
| #1172 | Tab Ultimate | 34 | 107 | 138 | 1k+ | Output is not escaped | ||
| #1173 | Testimonial Slider | 34 | 448 | 262 | 3k+ | Unsafe printing function | ||
| #1174 | Easy Mega Menu for WordPress – ThemeHunk | 34 | 480 | 256 | 1k+ | Text Domain Mismatch | ||
| #1175 | Throws SPAM Away | 34 | 327 | 123 | 10k+ | Missing Arg Domain | ||
| #1176 | Tidio – Live Chat & AI Chatbots | 34 | 52 | 19 | 80k+ | curl curl setopt | ||
| #1177 | Travel Agency Companion – Create Tour & Travel Website Using WP Travel Engine | 34 | 128 | 211 | 4k+ | Non-prefixed global variable | ||
| #1178 | Tools for Twitter | 34 | 135 | 87 | 1k+ | Output is not escaped | ||
| #1179 | Ultimate 410 Gone Status Code | 34 | 136 | 65 | 7k+ | Output is not escaped | ||
| #1180 | Abandoned Cart Reports For WooCommerce | 34 | 133 | 163 | 1k+ | Output is not escaped | ||
| #1181 | DPD SK for WooCommerce | 34 | 130 | 165 | 700 | Output is not escaped | ||
| #1182 | Pix Automático com Pagarme para WooCommerce | 34 | 68 | 66 | 500 | Non-prefixed global variable | ||
| #1183 | Weaver Xtreme Theme Support | 34 | 1,625 | 43 | 9k+ | Text Domain Mismatch | ||
| #1184 | Checkout Field Editor (Checkout Page Manager) for WooCommerce | 34 | 706 | 232 | 2k+ | Text Domain Mismatch | ||
| #1185 | Simple Discount Rules for Woocommerce | 34 | 175 | 214 | 4k+ | Nonce verification recommended | ||
| #1186 | Advanced Free Shipping for WooCommerce | 34 | 270 | 132 | 40k+ | Text Domain Mismatch | ||
| #1187 | Digital Signature Add-on for WooCommerce | 34 | 165 | 76 | 1k+ | Text Domain Mismatch | ||
| #1188 | Woopra Analytics Plugin | 34 | 114 | 53 | 900 | Output is not escaped | ||
| #1189 | WP Custom Admin Interface | 34 | 263 | 118 | 30k+ | Unsafe printing function | ||
| #1190 | Wp Default Sender Email by IT Pixelz | 34 | 682 | 25 | 500 | Output is not escaped | ||
| #1191 | WP Forms Signature Contract Add-On | 34 | 128 | 35 | 900 | Text Domain Mismatch | ||
| #1192 | Insert Headers And Footers | 34 | 83 | 113 | 300k+ | Non-prefixed global variable | ||
| #1193 | Email Template Designer – WP HTML Mail | 34 | 62 | 80 | 20k+ | badly named files | ||
| #1194 | WP LinkedIn Auto Publish | 34 | 165 | 56 | 8k+ | Output is not escaped | ||
| #1195 | WP Mail Logging | 34 | 76 | 258 | 300k+ | Nonce verification recommended | ||
| #1196 | WP Notes Widget | 34 | 217 | 36 | 700 | Output is not escaped | ||
| #1197 | WP Popup Builder – Popup Forms and Marketing Lead Generation | 34 | 357 | 143 | 3k+ | Text Domain Mismatch | ||
| #1198 | Thumbnail carousel slider | 34 | 277 | 143 | 2k+ | Output is not escaped | ||
| #1199 | WP SendFox | 34 | 296 | 118 | 1k+ | Text Domain Mismatch | ||
| #1200 | WP Subscription Forms – Subscription Form Plugin for WordPress | 34 | 131 | 220 | 400 | Non-prefixed global variable |