WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#101Author Website Templates – Create Writer, Author & Publisher Websites Easily227112,910500Non-prefixed global variable
#102Shortcodes and extra features for Phlox theme2241342690k+Output is not escaped
#103ANAC XML Bandi di Gara22294244600Output is not escaped
#104Knowledge Base documentation & wiki plugin – BasePress Docs226711,7672k+Non-prefixed global variable
#105Borderless – Addons and Templates for Elementor224381,3885k+Non-prefixed global variable
#106Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots221,6072,01910k+Direct Query
#107Better WordPress Minify224124848k+Non Singular String Literal Domain
#108Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD226697691k+Output is not escaped
#109Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer222,8581,27050k+Text Domain Mismatch
#110Code Profiler – WordPress Performance Profiling and Debugging Made Easy222654008k+Non-prefixed global variable
#111RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login223,6545,0618k+Non-prefixed global variable
#112WP Customer Area223,30894110k+Text Domain Mismatch
#113Download Manager222,2831,335100k+Output is not escaped
#114Diverse Solutions IDX Real Estate Listings & MLS Search227456051k+Heredoc Output Not Escaped
#115E2Pdf – Export Pdf Tool for WordPress221,07583610k+Unsafe printing function
#116Easy Social Feed – Social Photos Gallery and Post Feed for WordPress221,5671,27730k+Non-prefixed global variable
#117easyReservations225,3072,480800Text Domain Mismatch
#118Estatik Real Estate Plugin223,04932510k+Text Domain Mismatch
#119Events Maker by dFactory225888191k+Output is not escaped
#120Events Manager – Calendar, Bookings, Tickets, and more!224,7125,65770k+Output is not escaped
#121Falang multilanguage for WordPress227167691k+Output is not escaped
#122File Manager Pro – Filester22565391100k+Request data is not unslashed
#123Finale Lite – Sales Countdown Timer & Discount for WooCommerce221,0314514k+Output is not escaped
#124Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder22409236700k+Text Domain Mismatch
#125Notification Bar, Announcement and Cookie Notice WordPress Plugin – FooBar221,3211,3713k+Non-prefixed global variable
#126Five Star Restaurant Menu and Food Ordering227526095k+Output is not escaped
#127GeoDirectory – WP Business Directory Plugin and Classified Listings Directory224,4663,97210k+Output is not escaped
#128Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms221,03772220k+Unsafe printing function
#129HeadSpace2 SEO229403603k+Text Domain Mismatch
#130Heureka22557254400Exception output is not escaped
#131History Log by click5226751,290400Direct Query
#132Csomagpontok és Címkék WooCommerce-hez222,0017697k+Text Domain Mismatch
#133IMPress for IDX Broker221,0856366k+Text Domain Mismatch
#134Insert or Embed Articulate Content into WordPress226591,4372k+Non-prefixed global variable
#135Számlázz.hu integráció WooCommerce-hez221,1694607k+Text Domain Mismatch
#136InfiniteWP Client222,2861,812200k+Exception output is not escaped
#137Import WP – Export and Import CSV and XML files to WordPress225803304k+Exception output is not escaped
#138JCC Payment Gateway for Woocommerce222,2731,136600Text Domain Mismatch
#139LearnPress – WordPress LMS Plugin for Create and Sell Online Courses222,3463,34170k+Non-prefixed global variable
#140Mail Baby SMTP22385699600SQL query is not prepared
#141MailOptin – Popup, Optin Forms & Email Newsletters for Mailchimp, HubSpot, AWeber Etc.222,6252,45810k+Output is not escaped
#142MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution221,1311,844800Non-prefixed global variable
#143Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider22207323500k+Non-prefixed global variable
#144Modula Image Gallery – Photo Grid & Video Gallery22474436100k+Text Domain Mismatch
#145Molongui Authorship – Author Boxes, Guest Authors & Co-Authors for WordPress229191,23010k+Output is not escaped
#146Moloni229023562k+Missing Arg Domain
#147Motors – Car Dealership & Classified Listings Plugin225,3405,9589k+Text Domain Mismatch
#148myCred Toolkit with AI Assistant – Scale Your Loyalty & Gamification Rewards With Integrations221,5881,172400Output is not escaped
#149Newsletters222,9682,2482k+Text Domain Mismatch
#150NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall221,2662,059100k+Non-prefixed global variable