WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1451IntelliWidget Per Page Custom Menus and Dynamic Content36586162600Output is not escaped
#1452Italy Cookie Choices (for EU Cookie Law & Cookie Notice)361157710k+Unsafe printing function
#1453Just TinyMCE Custom Styles36112281k+Missing Arg Domain
#1454Lara's Google Analytics (GA4)36303579k+Unsafe printing function
#1455Leartes TRY Exchange Rates3625027500Text Domain Mismatch
#1456Libro de Reclamaciones y Quejas362661244k+Text Domain Mismatch
#1457Linkable Title Html and Php Widget3610831600Output is not escaped
#1458MailMunch – Grow your Email List36102496k+Output is not escaped
#1459Manage Notification E-mails3612998100k+Non-prefixed function
#1460Materialis Companion36129676k+Unsafe printing function
#1461Media Deduper3660999k+Missing Arg Domain
#1462Microsoft Clarity3648163200k+Nonce verification recommended
#1463Mobile Menu Builder for WordPress368133600Output is not escaped
#1464Motors VIN Decoder368788400Output is not escaped
#1465Multiple Sidebars3610975600Non Singular String Literal Domain
#1466WP Sticky Sidebar – Floating Sidebar On Scroll for Any Theme36938410k+Non-prefixed global variable
#1467News Ticker for Elementor3676572k+Text Domain Mismatch
#1468NextGEN Custom Fields362151311k+SQL query is not prepared
#1469MailerLite – Signup forms (official)36430158100k+Output is not escaped
#1470We’re Open!362731875k+Unsafe printing function
#1471PayTR Sanal POS WooCommerce – iFrame API361175410k+Output is not escaped
#1472Peter’s Post Notes362241023k+Output is not escaped
#1473Photoswipe Masonry Gallery3657476k+Non Singular String Literal Text
#1474Post Views Stats Counter36142241700Non-prefixed global variable
#1475Quick 301 Redirects36891205k+Non-prefixed global variable
#1476Rara One Click Demo Import361229820k+Missing Translators Comment
#1477Recent Posts3610630500Text Domain Mismatch
#1478Optimize Database after Deleting Revisions3664412760k+Output is not escaped
#1479Search Everything361657710k+Text Domain Mismatch
#1480Shadowbox JS36246141k+Unsafe printing function
#1481Subscribe to Comments3612916310k+Output is not escaped
#1482Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder3616240200k+Output is not escaped
#1483The Events Calendar Shortcode & Block367012710k+Non-prefixed hook name
#1484Toolbox for Asgaros Forum36150841k+Output is not escaped
#1485Zoho ZeptoMail36321105k+Request data is not unslashed
#1486Ubigeo de Perú para Woocommerce y WordPress361912354k+Non-prefixed function
#1487Uji Countdown36284984k+Text Domain Mismatch
#1488Slider Ultimate3629480500Output is not escaped
#1489underConstruction36986040k+Unsafe printing function
#1490PDF Flipbook, WPBakery Addon – Unreal FlipBook36400921k+Non Singular String Literal Domain
#1491User Roles and Capabilities362271328k+Output is not escaped
#1492Video Thumbnails Reloaded36343582k+Text Domain Mismatch
#1493VK Post Author Display368711310k+Non-prefixed function
#1494Wanderlust OCA para WooCommerce3615755500Text Domain Mismatch
#1495Out of Stock Message Manager for WooCommerce36293952k+Text Domain Mismatch
#1496WC Pickup Store36245522k+Output is not escaped
#1497Quantity Plus Minus Button for WooCommerce36838410k+Output is not escaped
#1498Shipping with Venipak for WooCommerce36239611k+Text Domain Mismatch
#1499When Last Login365212350k+Non-prefixed global variable
#1500Disable Payment Methods based on cart conditions for WooCommerce36158571k+Non Singular String Literal Domain