WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1251 | CF7 Views – Complete Entry Management for Contact Form 7 | 35 | 172 | 181 | 1k+ | Output is not escaped | ||
| #1252 | CiviCRM Admin Utilities | 35 | 19 | 87 | 1k+ | Non-prefixed hook name | ||
| #1253 | CM E-Mail Blacklist – Simple email filtering for safer registration | 35 | 269 | 205 | 800 | Output is not escaped | ||
| #1254 | Conditional Menus | 35 | 92 | 28 | 60k+ | Text Domain Mismatch | ||
| #1255 | Conditional Widgets | 35 | 67 | 33 | 7k+ | Output is not escaped | ||
| #1256 | GDPR Cookie Consent Notice Box | 35 | 46 | 17 | 1k+ | Output is not escaped | ||
| #1257 | Cookies and Content Security Policy | 35 | 261 | 412 | 10k+ | Output is not escaped | ||
| #1258 | Create Block Theme | 35 | 43 | 5 | 20k+ | unlink unlink | ||
| #1259 | Custom Post Type Maker | 35 | 240 | 86 | 6k+ | Unsafe printing function | ||
| #1260 | Datafeedr Product Sets | 35 | 602 | 206 | 5k+ | Output is not escaped | ||
| #1261 | Duplica – Duplicate Posts, Pages, Custom Posts or Users | 35 | 14 | 31 | 2k+ | Non-prefixed global variable | ||
| #1262 | Easy Dash for LearnDash | 35 | 623 | 88 | 700 | Text Domain Mismatch | ||
| #1263 | Easy Panorama | 35 | 120 | 10 | 500 | Non Singular String Literal Domain | ||
| #1264 | Easy Social Icons | 35 | 182 | 158 | 20k+ | Output is not escaped | ||
| #1265 | Easy SwipeBox | 35 | 157 | 10 | 2k+ | Non Singular String Literal Domain | ||
| #1266 | Editorial Calendar | 35 | 127 | 160 | 20k+ | Output is not escaped | ||
| #1267 | Email Subscription Popup — Newsletter & GDPR Consent | 35 | 683 | 193 | 1k+ | Output is not escaped | ||
| #1268 | Email Validator for Contact Form 7 | 35 | 111 | 74 | 500 | SQL query is not prepared | ||
| #1269 | Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more | 35 | 102 | 92 | 400 | Non-prefixed global variable | ||
| #1270 | Enhanced Recent Posts | 35 | 78 | 24 | 400 | Output is not escaped | ||
| #1271 | Connect WooCommerce to ActiveCampaign by EqualServing | 35 | 135 | 89 | 1k+ | Text Domain Mismatch | ||
| #1272 | Export Featured Images | 35 | 176 | 67 | 1k+ | Output is not escaped | ||
| #1273 | WP2Social Auto Publish | 35 | 643 | 215 | 9k+ | Unsafe printing function | ||
| #1274 | Pixel Cat – Conversion Pixel Manager | 35 | 253 | 215 | 40k+ | Output is not escaped | ||
| #1275 | Flat Preloader | 35 | 40 | 15 | 3k+ | Output is not escaped | ||
| #1276 | Force Reinstall | 35 | 118 | 34 | 2k+ | Output is not escaped | ||
| #1277 | Frontend Reset Password | 35 | 83 | 128 | 10k+ | Text Domain Mismatch | ||
| #1278 | Full Width Banner Slider Wp | 35 | 239 | 140 | 2k+ | Output is not escaped | ||
| #1279 | GA4WP – Analytics Dashboard for the Website | 35 | 434 | 157 | 2k+ | Text Domain Mismatch | ||
| #1280 | GeoTargeting Lite – WordPress Geolocation | 35 | 66 | 79 | 1k+ | Output is not escaped | ||
| #1281 | Get a Newsletter | 35 | 138 | 144 | 400 | Output is not escaped | ||
| #1282 | Give – Divi Donation Modules | 35 | 286 | 12 | 600 | Text Domain Mismatch | ||
| #1283 | Google Analytics Opt-Out | 35 | 34 | 7 | 5k+ | Output is not escaped | ||
| #1284 | Reviews Block for Google | 35 | 244 | 35 | 1k+ | Missing Arg Domain | ||
| #1285 | Health Check & Troubleshooting | 35 | 264 | 238 | 300k+ | Missing Arg Domain | ||
| #1286 | Social Comments by Heateor | 35 | 285 | 35 | 700 | Unsafe printing function | ||
| #1287 | Iframely – WP media embeds, cards and blocks | 35 | 136 | 43 | 2k+ | Unsafe printing function | ||
| #1288 | Image Slider | 35 | 192 | 95 | 4k+ | Output is not escaped | ||
| #1289 | Image Watermark | 35 | 85 | 181 | 40k+ | Missing nonce verification | ||
| #1290 | Image Widget | 35 | 165 | 31 | 100k+ | Output is not escaped | ||
| #1291 | ImageMagick Engine | 35 | 63 | 29 | 60k+ | Unsafe printing function | ||
| #1292 | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts | 35 | 64 | 91 | 60k+ | Output is not escaped | ||
| #1293 | IntenseDebate Comments | 35 | 203 | 114 | 500 | Output is not escaped | ||
| #1294 | ICIT Weather Widget | 35 | 358 | 8 | 400 | Output is not escaped | ||
| #1295 | Nobs • Share Buttons | 35 | 314 | 85 | 3k+ | Output is not escaped | ||
| #1296 | Kadence for WooCommerce and Elementor | 35 | 39 | 21 | 3k+ | Output is not escaped | ||
| #1297 | Kargo Takip | 35 | 84 | 142 | 3k+ | Missing nonce verification | ||
| #1298 | Keyring | 35 | 233 | 203 | 1k+ | Output is not escaped | ||
| #1299 | Kiyoh customer review | 35 | 173 | 68 | 500 | Output is not escaped | ||
| #1300 | Lead Call Buttons | 35 | 113 | 81 | 5k+ | Output is not escaped |