WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1201WP Popup Builder – Popup Forms and Marketing Lead Generation343571433k+Text Domain Mismatch
#1202Thumbnail carousel slider342771432k+Output is not escaped
#1203WP SendFox342961181k+Text Domain Mismatch
#1204WP Subscription Forms – Subscription Form Plugin for WordPress34131220400Non-prefixed global variable
#1205WP Twitter Feeds34202822k+Output is not escaped
#1206WP Ultimate Post Grid34114744k+Missing direct file access protection
#1207Live Visitor Counter341081144k+Interpolated SQL is not prepared
#1208Wp Favs – Plugin Manager342381533k+Text Domain Mismatch
#1209WPLMS MyCred AddOn3438373800Text Domain Mismatch
#1210YourChannel: Everything you want in a YouTube plugin.3426211510k+Text Domain Mismatch
#1211Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades34571195100k+Output is not escaped
#1212Zero Spam for WordPress347939320k+Non-prefixed global variable
#1213ACF Color Swatches3550211k+Text Domain Mismatch
#1214ACF: Focal Point35616400Text Domain Mismatch
#1215Advanced Custom Fields: Image Aspect Ratio Crop Field35703720k+Text Domain Mismatch
#1216ACF: Image Hotspots Field352652k+Text Domain Mismatch
#1217Admin Color Schemer35166201k+Exception output is not escaped
#1218Advanced Permalinks359476400wp function not compatible with requires wp
#1219Advanced Reporting for Woocommerce35296101400Output is not escaped
#1220Affiliate Link Marker35314400Text Domain Mismatch
#1221Air WP Sync – Airtable to WordPress3537451k+Non-prefixed hook name
#1222AMIMOTO Plugin Dashboard358282900Non Singular String Literal Domain
#1223Amministrazione Trasparente3580461k+Output is not escaped
#1224AnsPress – Question and answer35227783k+Non-prefixed function
#1225AppMySite – WordPress & WooCommerce Mobile App Builder (No-Code Android & iOS App Maker)35165377k+Missing Arg Domain
#1226Aquila Admin Theme351513293k+Non-prefixed global variable
#1227Author Box WP Lens35169491k+Unsafe printing function
#1228Authors Widget35170191k+Output is not escaped
#1229Autocomplete For Relevanssi35309900Unsafe printing function
#1230Awin – Advertiser Tracking for WooCommerce3546391k+Non Singular String Literal Domain
#1231AXP Cyrillic to Latin352131k+Output is not escaped
#1232Basic Google Maps Placemarks35189803k+Output is not escaped
#1233Before After Image Comparison Slider for WPBakery Page Builder3558591k+Output is not escaped
#1234belingoGeo351361331k+Output is not escaped
#1235Better Recent Comments35127292k+Text Domain Mismatch
#1236Block Comment Spam Bots353117800Output is not escaped
#1237Block User Account352801431k+Unsafe printing function
#1238BlossomThemes Toolkit353475230k+Output is not escaped
#1239Tooltipy (tooltips for WP)353701251k+Text Domain Mismatch
#1240Bootstrap for Contact Form 735357310k+Nonce verification recommended
#1241BuddyPress Activity Filter352566400Nonce verification recommended
#1242Registration Options for BuddyPress35471321k+Non-prefixed function
#1243Brozzme DB Prefix & Tools Addons35244210k+Request data is not unslashed
#1244BSK Forms Blacklist358315501k+Output is not escaped
#1245Business Hours Indicator351391068k+Alternative PHP tag found
#1246C3 Cloudfront Cache Controller35109603k+Non Singular String Literal Domain
#1247CF7 Spreadsheets3510062400Text Domain Mismatch
#1248Popup for CF7 with Sweet Alert3526122k+Text Domain Mismatch
#1249CF7 Views – Complete Entry Management for Contact Form 7351721811k+Output is not escaped
#1250CiviCRM Admin Utilities3519871k+Non-prefixed hook name