WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1201 | WP Popup Builder – Popup Forms and Marketing Lead Generation | 34 | 357 | 143 | 3k+ | Text Domain Mismatch | ||
| #1202 | Thumbnail carousel slider | 34 | 277 | 143 | 2k+ | Output is not escaped | ||
| #1203 | WP SendFox | 34 | 296 | 118 | 1k+ | Text Domain Mismatch | ||
| #1204 | WP Subscription Forms – Subscription Form Plugin for WordPress | 34 | 131 | 220 | 400 | Non-prefixed global variable | ||
| #1205 | WP Twitter Feeds | 34 | 202 | 82 | 2k+ | Output is not escaped | ||
| #1206 | WP Ultimate Post Grid | 34 | 114 | 74 | 4k+ | Missing direct file access protection | ||
| #1207 | Live Visitor Counter | 34 | 108 | 114 | 4k+ | Interpolated SQL is not prepared | ||
| #1208 | Wp Favs – Plugin Manager | 34 | 238 | 153 | 3k+ | Text Domain Mismatch | ||
| #1209 | WPLMS MyCred AddOn | 34 | 383 | 73 | 800 | Text Domain Mismatch | ||
| #1210 | YourChannel: Everything you want in a YouTube plugin. | 34 | 262 | 115 | 10k+ | Text Domain Mismatch | ||
| #1211 | Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades | 34 | 571 | 195 | 100k+ | Output is not escaped | ||
| #1212 | Zero Spam for WordPress | 34 | 79 | 393 | 20k+ | Non-prefixed global variable | ||
| #1213 | ACF Color Swatches | 35 | 50 | 21 | 1k+ | Text Domain Mismatch | ||
| #1214 | ACF: Focal Point | 35 | 61 | 6 | 400 | Text Domain Mismatch | ||
| #1215 | Advanced Custom Fields: Image Aspect Ratio Crop Field | 35 | 70 | 37 | 20k+ | Text Domain Mismatch | ||
| #1216 | ACF: Image Hotspots Field | 35 | 26 | 5 | 2k+ | Text Domain Mismatch | ||
| #1217 | Admin Color Schemer | 35 | 166 | 20 | 1k+ | Exception output is not escaped | ||
| #1218 | Advanced Permalinks | 35 | 94 | 76 | 400 | wp function not compatible with requires wp | ||
| #1219 | Advanced Reporting for Woocommerce | 35 | 296 | 101 | 400 | Output is not escaped | ||
| #1220 | Affiliate Link Marker | 35 | 31 | 4 | 400 | Text Domain Mismatch | ||
| #1221 | Air WP Sync – Airtable to WordPress | 35 | 37 | 45 | 1k+ | Non-prefixed hook name | ||
| #1222 | AMIMOTO Plugin Dashboard | 35 | 82 | 82 | 900 | Non Singular String Literal Domain | ||
| #1223 | Amministrazione Trasparente | 35 | 80 | 46 | 1k+ | Output is not escaped | ||
| #1224 | AnsPress – Question and answer | 35 | 22 | 778 | 3k+ | Non-prefixed function | ||
| #1225 | AppMySite – WordPress & WooCommerce Mobile App Builder (No-Code Android & iOS App Maker) | 35 | 165 | 37 | 7k+ | Missing Arg Domain | ||
| #1226 | Aquila Admin Theme | 35 | 151 | 329 | 3k+ | Non-prefixed global variable | ||
| #1227 | Author Box WP Lens | 35 | 169 | 49 | 1k+ | Unsafe printing function | ||
| #1228 | Authors Widget | 35 | 170 | 19 | 1k+ | Output is not escaped | ||
| #1229 | Autocomplete For Relevanssi | 35 | 30 | 9 | 900 | Unsafe printing function | ||
| #1230 | Awin – Advertiser Tracking for WooCommerce | 35 | 46 | 39 | 1k+ | Non Singular String Literal Domain | ||
| #1231 | AXP Cyrillic to Latin | 35 | 21 | 3 | 1k+ | Output is not escaped | ||
| #1232 | Basic Google Maps Placemarks | 35 | 189 | 80 | 3k+ | Output is not escaped | ||
| #1233 | Before After Image Comparison Slider for WPBakery Page Builder | 35 | 58 | 59 | 1k+ | Output is not escaped | ||
| #1234 | belingoGeo | 35 | 136 | 133 | 1k+ | Output is not escaped | ||
| #1235 | Better Recent Comments | 35 | 127 | 29 | 2k+ | Text Domain Mismatch | ||
| #1236 | Block Comment Spam Bots | 35 | 31 | 17 | 800 | Output is not escaped | ||
| #1237 | Block User Account | 35 | 280 | 143 | 1k+ | Unsafe printing function | ||
| #1238 | BlossomThemes Toolkit | 35 | 347 | 52 | 30k+ | Output is not escaped | ||
| #1239 | Tooltipy (tooltips for WP) | 35 | 370 | 125 | 1k+ | Text Domain Mismatch | ||
| #1240 | Bootstrap for Contact Form 7 | 35 | 35 | 73 | 10k+ | Nonce verification recommended | ||
| #1241 | BuddyPress Activity Filter | 35 | 25 | 66 | 400 | Nonce verification recommended | ||
| #1242 | Registration Options for BuddyPress | 35 | 47 | 132 | 1k+ | Non-prefixed function | ||
| #1243 | Brozzme DB Prefix & Tools Addons | 35 | 24 | 42 | 10k+ | Request data is not unslashed | ||
| #1244 | BSK Forms Blacklist | 35 | 831 | 550 | 1k+ | Output is not escaped | ||
| #1245 | Business Hours Indicator | 35 | 139 | 106 | 8k+ | Alternative PHP tag found | ||
| #1246 | C3 Cloudfront Cache Controller | 35 | 109 | 60 | 3k+ | Non Singular String Literal Domain | ||
| #1247 | CF7 Spreadsheets | 35 | 100 | 62 | 400 | Text Domain Mismatch | ||
| #1248 | Popup for CF7 with Sweet Alert | 35 | 26 | 12 | 2k+ | Text Domain Mismatch | ||
| #1249 | CF7 Views – Complete Entry Management for Contact Form 7 | 35 | 172 | 181 | 1k+ | Output is not escaped | ||
| #1250 | CiviCRM Admin Utilities | 35 | 19 | 87 | 1k+ | Non-prefixed hook name |