WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1301 | Login-Logout | 35 | 104 | 8 | 3k+ | Output is not escaped | ||
| #1302 | Login Page Styler – Custom WordPress Login Page Customizer & Security | 35 | 125 | 168 | 2k+ | Missing Arg Domain | ||
| #1303 | Mark Posts | 35 | 30 | 34 | 1k+ | Output is not escaped | ||
| #1304 | Marquee image crawler | 35 | 168 | 136 | 700 | Non-prefixed global variable | ||
| #1305 | Mechanic Visitor Counter | 35 | 240 | 66 | 7k+ | Output is not escaped | ||
| #1306 | Restaurant Menu – Food Ordering System – Table Reservation | 35 | 317 | 186 | 8k+ | Unsafe printing function | ||
| #1307 | mosparo Integration | 35 | 114 | 301 | 900 | Missing nonce verification | ||
| #1308 | Never Let Me Go | 35 | 34 | 47 | 400 | Non-prefixed global variable | ||
| #1309 | NGG Smart Image Search | 35 | 298 | 155 | 400 | Output is not escaped | ||
| #1310 | Nginx Cache Controller | 35 | 79 | 96 | 1k+ | Text Domain Mismatch | ||
| #1311 | Nooz | 35 | 287 | 108 | 500 | Text Domain Mismatch | ||
| #1312 | One Page Express Companion | 35 | 132 | 65 | 10k+ | Output is not escaped | ||
| #1313 | ONet Regenerate Thumbnails | 35 | 190 | 64 | 1k+ | Text Domain Mismatch | ||
| #1314 | Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce | 35 | 117 | 144 | 2k+ | Output is not escaped | ||
| #1315 | Order Delivery Date for WooCommerce | 35 | 2,075 | 73 | 10k+ | wp function not compatible with requires wp | ||
| #1316 | OT Flatsome Vertical Menu | 35 | 126 | 26 | 10k+ | Text Domain Mismatch | ||
| #1317 | Page Optimize | 35 | 70 | 41 | 200k+ | Non Singular String Literal Domain | ||
| #1318 | Paybox WooCommerce Payment Gateway | 35 | 165 | 88 | 500 | Non Singular String Literal Domain | ||
| #1319 | Pixeline's Email Protector | 35 | 77 | 5 | 800 | Unsafe printing function | ||
| #1320 | Planyo online reservation system | 35 | 64 | 90 | 400 | Output is not escaped | ||
| #1321 | Poptin – Email Marketing Automation, Newsletter & Exit Pop Ups, Email Popups | 35 | 168 | 29 | 20k+ | Output is not escaped | ||
| #1322 | Popular Posts | 35 | 166 | 71 | 900 | Unsafe printing function | ||
| #1323 | Popup with fancybox | 35 | 196 | 168 | 900 | Unsafe printing function | ||
| #1324 | Post Content Shortcodes | 35 | 205 | 56 | 2k+ | Output is not escaped | ||
| #1325 | Post List Featured Image | 35 | 112 | 100 | 900 | Output is not escaped | ||
| #1326 | Post Password Token | 35 | 132 | 38 | 600 | Text Domain Mismatch | ||
| #1327 | Pronamic Client | 35 | 111 | 48 | 700 | Output is not escaped | ||
| #1328 | QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | 35 | 225 | 110 | 8k+ | Non Singular String Literal Domain | ||
| #1329 | Real Time Validation for Gravity Forms | 35 | 185 | 30 | 2k+ | Output is not escaped | ||
| #1330 | Related Posts by Taxonomy | 35 | 131 | 97 | 10k+ | Output is not escaped | ||
| #1331 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output is not escaped | ||
| #1332 | Remove Admin Toolbar | 35 | 13 | 7 | 600 | Missing direct file access protection | ||
| #1333 | Restrict Elementor Widgets, Columns and Sections | 35 | 18 | 53 | 500 | Non-prefixed function | ||
| #1334 | Robots.txt rewrite | 35 | 56 | 19 | 1k+ | Output is not escaped | ||
| #1335 | sCode (Easy Shortcodes) | 35 | 157 | 97 | 400 | Text Domain Mismatch | ||
| #1336 | Internal Links Manager | 35 | 188 | 121 | 10k+ | Output is not escaped | ||
| #1337 | Shipping Zones by Drawing for WooCommerce | 35 | 278 | 95 | 600 | Text Domain Mismatch | ||
| #1338 | Shop Page WP | 35 | 68 | 23 | 2k+ | Unsafe printing function | ||
| #1339 | Simple Header Footer HTML | 35 | 30 | 5 | 3k+ | Output is not escaped | ||
| #1340 | Simple Image Sizes | 35 | 53 | 75 | 60k+ | Unsafe printing function | ||
| #1341 | Simple Yearly Archive | 35 | 102 | 36 | 6k+ | Unsafe printing function | ||
| #1342 | SimpleTOC – Table of Contents Block | 35 | 10 | 0 | 10k+ | Setting is missing a sanitization callback | ||
| #1343 | SiteGround Migrator | 35 | 113 | 74 | 80k+ | Missing Arg Domain | ||
| #1344 | Sitekit | 35 | 122 | 8 | 3k+ | Output is not escaped | ||
| #1345 | Slick Slider | 35 | 36 | 9 | 2k+ | Output is not escaped | ||
| #1346 | SiteOrigin CSS | 35 | 61 | 84 | 100k+ | Not In Footer | ||
| #1347 | Spacious Toolkit | 35 | 48 | 94 | 700 | Non-prefixed global variable | ||
| #1348 | Spots | 35 | 195 | 49 | 800 | Output is not escaped | ||
| #1349 | Square Thumbnails | 35 | 43 | 317 | 800 | error log error log | ||
| #1350 | SSL Insecure Content Fixer | 35 | 28 | 60 | 100k+ | Input is not sanitized |