WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1251CF7 Views – Complete Entry Management for Contact Form 7351721811k+Output is not escaped
#1252CiviCRM Admin Utilities3519871k+Non-prefixed hook name
#1253CM E-Mail Blacklist – Simple email filtering for safer registration35269205800Output is not escaped
#1254Conditional Menus35922860k+Text Domain Mismatch
#1255Conditional Widgets3567337k+Output is not escaped
#1256GDPR Cookie Consent Notice Box3546171k+Output is not escaped
#1257Cookies and Content Security Policy3526141210k+Output is not escaped
#1258Create Block Theme3543520k+unlink unlink
#1259Custom Post Type Maker35240866k+Unsafe printing function
#1260Datafeedr Product Sets356022065k+Output is not escaped
#1261Duplica – Duplicate Posts, Pages, Custom Posts or Users3514312k+Non-prefixed global variable
#1262Easy Dash for LearnDash3562388700Text Domain Mismatch
#1263Easy Panorama3512010500Non Singular String Literal Domain
#1264Easy Social Icons3518215820k+Output is not escaped
#1265Easy SwipeBox35157102k+Non Singular String Literal Domain
#1266Editorial Calendar3512716020k+Output is not escaped
#1267Email Subscription Popup — Newsletter & GDPR Consent356831931k+Output is not escaped
#1268Email Validator for Contact Form 73511174500SQL query is not prepared
#1269Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more3510292400Non-prefixed global variable
#1270Enhanced Recent Posts357824400Output is not escaped
#1271Connect WooCommerce to ActiveCampaign by EqualServing35135891k+Text Domain Mismatch
#1272Export Featured Images35176671k+Output is not escaped
#1273WP2Social Auto Publish356432159k+Unsafe printing function
#1274Pixel Cat – Conversion Pixel Manager3525321540k+Output is not escaped
#1275Flat Preloader3540153k+Output is not escaped
#1276Force Reinstall35118342k+Output is not escaped
#1277Frontend Reset Password358312810k+Text Domain Mismatch
#1278Full Width Banner Slider Wp352391402k+Output is not escaped
#1279GA4WP – Analytics Dashboard for the Website354341572k+Text Domain Mismatch
#1280GeoTargeting Lite – WordPress Geolocation3566791k+Output is not escaped
#1281Get a Newsletter35138144400Output is not escaped
#1282Give – Divi Donation Modules3528612600Text Domain Mismatch
#1283Google Analytics Opt-Out353475k+Output is not escaped
#1284Reviews Block for Google35244351k+Missing Arg Domain
#1285Health Check & Troubleshooting35264238300k+Missing Arg Domain
#1286Social Comments by Heateor3528535700Unsafe printing function
#1287Iframely – WP media embeds, cards and blocks35136432k+Unsafe printing function
#1288Image Slider35192954k+Output is not escaped
#1289Image Watermark358518140k+Missing nonce verification
#1290Image Widget3516531100k+Output is not escaped
#1291ImageMagick Engine35632960k+Unsafe printing function
#1292Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts35649160k+Output is not escaped
#1293IntenseDebate Comments35203114500Output is not escaped
#1294ICIT Weather Widget353588400Output is not escaped
#1295Nobs • Share Buttons35314853k+Output is not escaped
#1296Kadence for WooCommerce and Elementor3539213k+Output is not escaped
#1297Kargo Takip35841423k+Missing nonce verification
#1298Keyring352332031k+Output is not escaped
#1299Kiyoh customer review3517368500Output is not escaped
#1300Lead Call Buttons35113815k+Output is not escaped