WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1401WPPerformanceTester3594441k+Output is not escaped
#1402WPZOOM Addons for Elementor – Starter Templates & Widgets3516013020k+Output is not escaped
#1403WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress357410910k+Nonce verification recommended
#1404WPZOOM Portfolio Lite – Filterable Portfolio Plugin35429220k+Non-prefixed global variable
#1405Writesonic3514161k+Non-prefixed global variable
#1406Yes/No Chart351361392k+Unsafe printing function
#1407Embeds for YouTube3525530710k+Non-prefixed global variable
#1408Awesome GDPR Compliant Cookie Consent and Notice36653201500Text Domain Mismatch
#1409Bard Extra3615975700Text Domain Mismatch
#1410Black Widgets For Elementor362,60819800Text Domain Mismatch
#1411Blaze Demo Importer36101948k+Output is not escaped
#1412Blog, Posts and Category Filter for Elementor36159551k+Text Domain Mismatch
#1413BP Disable Activation Reloaded3614728800Output is not escaped
#1414BP Profile Search36321855k+Output is not escaped
#1415bpost shipping369743700Output is not escaped
#1416BuddyMeet3611432700Unsafe printing function
#1417Bulk Post Update Date36966610k+Unsafe printing function
#1418Bus Ticket Booking with Seat Reservation36145192800Non-prefixed global variable
#1419Better WordPress Recent Comments3631969600Text Domain Mismatch
#1420Carousel Ultimate36450284700Text Domain Mismatch
#1421Carousel Horizontal Posts Content Slider36271592k+Text Domain Mismatch
#1422Contact Form 7 Gated Content3612236800Short PHP open tag found
#1423Multi Step for Contact Form 7366110610k+Missing nonce verification
#1424Contact Form 7 Polylang Module3632455k+Output is not escaped
#1425CLP – Custom Login Page by NiteoThemes3624049700Output is not escaped
#1426CM Header and Footer – Add custom scripts and styles to your header and footer with ease362301981k+Output is not escaped
#1427Coming Soon, Under Construction & Maintenance Mode By Dazzler361731326k+Text Domain Mismatch
#1428Conditional Payments for WooCommerce3629218410k+Text Domain Mismatch
#1429Conditional Shipping for WooCommerce369319610k+Non-prefixed global variable
#1430Crelly Slider3642118510k+Unsafe printing function
#1431CSH Login3612641500Output is not escaped
#1432Custom PHP Settings361537610k+Output is not escaped
#1433Doneren met Mollie364203514k+SQL query is not prepared
#1434Easy Support Videos – Embed videos in the admin3616095500Output is not escaped
#1435Product Carousel Slider for Elementor36148631k+Text Domain Mismatch
#1436Email Before Download3689296k+Unsafe printing function
#1437Enhanced Media Library3636111760k+Unsafe printing function
#1438Envo's Templates & Widgets for Elementor and WooCommerce361,0655410k+Text Domain Mismatch
#1439Events Manager and WPML Compatibility361011771k+Direct Query
#1440Export Variable Products367949400Text Domain Mismatch
#1441Happy WooCommerce FAQs – Ultimate Product FAQ Plugin36651191k+Nonce verification recommended
#1442FreePay for WooCommerce36114102400Output is not escaped
#1443Genesis Sandbox Featured Content Widget36229241k+Text Domain Mismatch
#1444GetPaid > Wallet36174227700Text Domain Mismatch
#1445Header Footer Code Manager3681180600k+Non-prefixed global variable
#1446Optimize Social Share36203613k+Unsafe printing function
#1447HTML Forms – Simple WordPress Forms Plugin3623116610k+Output is not escaped
#1448HTML5 Maps361941605k+Output is not escaped
#1449Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS3668336k+Output is not escaped
#1450If-So Geolocation3650571k+Non-prefixed global variable