WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1401 | WPPerformanceTester | 35 | 94 | 44 | 1k+ | Output is not escaped | ||
| #1402 | WPZOOM Addons for Elementor – Starter Templates & Widgets | 35 | 160 | 130 | 20k+ | Output is not escaped | ||
| #1403 | WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress | 35 | 74 | 109 | 10k+ | Nonce verification recommended | ||
| #1404 | WPZOOM Portfolio Lite – Filterable Portfolio Plugin | 35 | 42 | 92 | 20k+ | Non-prefixed global variable | ||
| #1405 | Writesonic | 35 | 14 | 16 | 1k+ | Non-prefixed global variable | ||
| #1406 | Yes/No Chart | 35 | 136 | 139 | 2k+ | Unsafe printing function | ||
| #1407 | Embeds for YouTube | 35 | 255 | 307 | 10k+ | Non-prefixed global variable | ||
| #1408 | Awesome GDPR Compliant Cookie Consent and Notice | 36 | 653 | 201 | 500 | Text Domain Mismatch | ||
| #1409 | Bard Extra | 36 | 159 | 75 | 700 | Text Domain Mismatch | ||
| #1410 | Black Widgets For Elementor | 36 | 2,608 | 19 | 800 | Text Domain Mismatch | ||
| #1411 | Blaze Demo Importer | 36 | 101 | 94 | 8k+ | Output is not escaped | ||
| #1412 | Blog, Posts and Category Filter for Elementor | 36 | 159 | 55 | 1k+ | Text Domain Mismatch | ||
| #1413 | BP Disable Activation Reloaded | 36 | 147 | 28 | 800 | Output is not escaped | ||
| #1414 | BP Profile Search | 36 | 321 | 85 | 5k+ | Output is not escaped | ||
| #1415 | bpost shipping | 36 | 97 | 43 | 700 | Output is not escaped | ||
| #1416 | BuddyMeet | 36 | 114 | 32 | 700 | Unsafe printing function | ||
| #1417 | Bulk Post Update Date | 36 | 96 | 66 | 10k+ | Unsafe printing function | ||
| #1418 | Bus Ticket Booking with Seat Reservation | 36 | 145 | 192 | 800 | Non-prefixed global variable | ||
| #1419 | Better WordPress Recent Comments | 36 | 319 | 69 | 600 | Text Domain Mismatch | ||
| #1420 | Carousel Ultimate | 36 | 450 | 284 | 700 | Text Domain Mismatch | ||
| #1421 | Carousel Horizontal Posts Content Slider | 36 | 271 | 59 | 2k+ | Text Domain Mismatch | ||
| #1422 | Contact Form 7 Gated Content | 36 | 122 | 36 | 800 | Short PHP open tag found | ||
| #1423 | Multi Step for Contact Form 7 | 36 | 61 | 106 | 10k+ | Missing nonce verification | ||
| #1424 | Contact Form 7 Polylang Module | 36 | 32 | 45 | 5k+ | Output is not escaped | ||
| #1425 | CLP – Custom Login Page by NiteoThemes | 36 | 240 | 49 | 700 | Output is not escaped | ||
| #1426 | CM Header and Footer – Add custom scripts and styles to your header and footer with ease | 36 | 230 | 198 | 1k+ | Output is not escaped | ||
| #1427 | Coming Soon, Under Construction & Maintenance Mode By Dazzler | 36 | 173 | 132 | 6k+ | Text Domain Mismatch | ||
| #1428 | Conditional Payments for WooCommerce | 36 | 292 | 184 | 10k+ | Text Domain Mismatch | ||
| #1429 | Conditional Shipping for WooCommerce | 36 | 93 | 196 | 10k+ | Non-prefixed global variable | ||
| #1430 | Crelly Slider | 36 | 421 | 185 | 10k+ | Unsafe printing function | ||
| #1431 | CSH Login | 36 | 126 | 41 | 500 | Output is not escaped | ||
| #1432 | Custom PHP Settings | 36 | 153 | 76 | 10k+ | Output is not escaped | ||
| #1433 | Doneren met Mollie | 36 | 420 | 351 | 4k+ | SQL query is not prepared | ||
| #1434 | Easy Support Videos – Embed videos in the admin | 36 | 160 | 95 | 500 | Output is not escaped | ||
| #1435 | Product Carousel Slider for Elementor | 36 | 148 | 63 | 1k+ | Text Domain Mismatch | ||
| #1436 | Email Before Download | 36 | 89 | 29 | 6k+ | Unsafe printing function | ||
| #1437 | Enhanced Media Library | 36 | 361 | 117 | 60k+ | Unsafe printing function | ||
| #1438 | Envo's Templates & Widgets for Elementor and WooCommerce | 36 | 1,065 | 54 | 10k+ | Text Domain Mismatch | ||
| #1439 | Events Manager and WPML Compatibility | 36 | 101 | 177 | 1k+ | Direct Query | ||
| #1440 | Export Variable Products | 36 | 79 | 49 | 400 | Text Domain Mismatch | ||
| #1441 | Happy WooCommerce FAQs – Ultimate Product FAQ Plugin | 36 | 65 | 119 | 1k+ | Nonce verification recommended | ||
| #1442 | FreePay for WooCommerce | 36 | 114 | 102 | 400 | Output is not escaped | ||
| #1443 | Genesis Sandbox Featured Content Widget | 36 | 229 | 24 | 1k+ | Text Domain Mismatch | ||
| #1444 | GetPaid > Wallet | 36 | 174 | 227 | 700 | Text Domain Mismatch | ||
| #1445 | Header Footer Code Manager | 36 | 81 | 180 | 600k+ | Non-prefixed global variable | ||
| #1446 | Optimize Social Share | 36 | 203 | 61 | 3k+ | Unsafe printing function | ||
| #1447 | HTML Forms – Simple WordPress Forms Plugin | 36 | 231 | 166 | 10k+ | Output is not escaped | ||
| #1448 | HTML5 Maps | 36 | 194 | 160 | 5k+ | Output is not escaped | ||
| #1449 | Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS | 36 | 68 | 33 | 6k+ | Output is not escaped | ||
| #1450 | If-So Geolocation | 36 | 50 | 57 | 1k+ | Non-prefixed global variable |