WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1351Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress35106145500Non-prefixed global variable
#1352Tapfiliate353549400Nonce verification recommended
#1353TBThemes Theme Import358448400Text Domain Mismatch
#1354TC Custom JavaScript35192610k+Missing Version
#1355Team Showcase – Responsive Team Members Grid, Slider & Carousel Plugin351,0004102k+Text Domain Mismatch
#1356Teamleader CRM Forms3515030500Non Singular String Literal Domain
#1357Advance Product Search- Voice & Ajax Search for WooCommerce351259210k+Text Domain Mismatch
#1358Theme Blvd Layout Builder352071692k+Output is not escaped
#1359Themify Audio Dock35229900Non-prefixed global variable
#1360Themify Icons3533123k+Output is not escaped
#1361Themify Shortcodes3536167k+Output is not escaped
#1362Thumbnail Editor3518768600wp function not compatible with requires wp
#1363TinyMCE Templates35412720k+Text Domain Mismatch
#1364Two Factor Authentication3510813920k+Output is not escaped
#1365uCalc35788600Text Domain Mismatch
#1366Uptime Robot Plugin for WordPress35398324600Text Domain Mismatch
#1367User Photo35112683k+Output is not escaped
#1368Video Gallery35336178600Output is not escaped
#1369W4 Post List35501383k+Non-prefixed global variable
#1370ShipStation Live Rates for WooCommerce3540273900Non Singular String Literal Domain
#1371Spreadconnect35128126700Output is not escaped
#1372Webflow Pages3536632k+Non Singular String Literal Domain
#1373Wired Impact Volunteer Management352531751k+Output is not escaped
#1374CardCom Payment Gateway35201843k+Text Domain Mismatch
#1375Sola Payment Gateway for WooCommerce35107116700Missing Translators Comment
#1376Custom Payment Gateways for WooCommerce35202313k+Non Singular String Literal Domain
#1377Title Limit for WooCommerce3541124k+Output is not escaped
#1378Custom Payment Gateway for WooCommerce3511128k+Missing nonce verification
#1379Payment Gateway for PayPal Pro & PayPal Checkout for WooCommerce35671472k+Request data is not unslashed
#1380Product Tabs for WooCommerce3519610010k+Text Domain Mismatch
#1381Easy Accept Payments via PayPal353221287k+Text Domain Mismatch
#1382WP Associate Post R235259863k+Output is not escaped
#1383Category Dropdown by GCS Design3593521k+Output is not escaped
#1384WP Compiler3533201k+Output is not escaped
#1385WP Datepicker352251817k+Output is not escaped
#1386Database Backup for WordPress351288870k+Output is not escaped
#1387WP Flexslider35157600Unsafe printing function
#1388Auto Publish for Google My Business3521619210k+Input is not validated
#1389Mail logging – WP Mail Catcher3523215720k+Text Domain Mismatch
#1390WP-Paginate35375520k+Input is not validated
#1391WP-Persian35144377k+Unsafe printing function
#1392WP Post Nav3573242400Non-prefixed global variable
#1393WP-PostViews3513264100k+Unsafe printing function
#1394WP-Print35110528k+Unsafe printing function
#1395WP All Import – Property Import for WP Residence354132700Output is not escaped
#1396video carousel slider with lightbox353501361k+Output is not escaped
#1397WP Site Verification tool3534371k+Non-prefixed global variable
#1398WP Spam Question Filter3563302k+Output is not escaped
#1399WP System Information3523730700Text Domain Mismatch
#1400Integration for WooCommerce and QuickBooks352631251k+Output is not escaped