WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1451 | IntelliWidget Per Page Custom Menus and Dynamic Content | 36 | 586 | 162 | 600 | Output is not escaped | ||
| #1452 | Italy Cookie Choices (for EU Cookie Law & Cookie Notice) | 36 | 115 | 77 | 10k+ | Unsafe printing function | ||
| #1453 | Just TinyMCE Custom Styles | 36 | 112 | 28 | 1k+ | Missing Arg Domain | ||
| #1454 | Lara's Google Analytics (GA4) | 36 | 303 | 57 | 9k+ | Unsafe printing function | ||
| #1455 | Leartes TRY Exchange Rates | 36 | 250 | 27 | 500 | Text Domain Mismatch | ||
| #1456 | Libro de Reclamaciones y Quejas | 36 | 266 | 124 | 4k+ | Text Domain Mismatch | ||
| #1457 | Linkable Title Html and Php Widget | 36 | 108 | 31 | 600 | Output is not escaped | ||
| #1458 | MailMunch – Grow your Email List | 36 | 102 | 49 | 6k+ | Output is not escaped | ||
| #1459 | Manage Notification E-mails | 36 | 129 | 98 | 100k+ | Non-prefixed function | ||
| #1460 | Materialis Companion | 36 | 129 | 67 | 6k+ | Unsafe printing function | ||
| #1461 | Media Deduper | 36 | 60 | 99 | 9k+ | Missing Arg Domain | ||
| #1462 | Microsoft Clarity | 36 | 48 | 163 | 200k+ | Nonce verification recommended | ||
| #1463 | Mobile Menu Builder for WordPress | 36 | 81 | 33 | 600 | Output is not escaped | ||
| #1464 | Motors VIN Decoder | 36 | 87 | 88 | 400 | Output is not escaped | ||
| #1465 | Multiple Sidebars | 36 | 109 | 75 | 600 | Non Singular String Literal Domain | ||
| #1466 | WP Sticky Sidebar – Floating Sidebar On Scroll for Any Theme | 36 | 93 | 84 | 10k+ | Non-prefixed global variable | ||
| #1467 | News Ticker for Elementor | 36 | 76 | 57 | 2k+ | Text Domain Mismatch | ||
| #1468 | NextGEN Custom Fields | 36 | 215 | 131 | 1k+ | SQL query is not prepared | ||
| #1469 | MailerLite – Signup forms (official) | 36 | 430 | 158 | 100k+ | Output is not escaped | ||
| #1470 | We’re Open! | 36 | 273 | 187 | 5k+ | Unsafe printing function | ||
| #1471 | PayTR Sanal POS WooCommerce – iFrame API | 36 | 117 | 54 | 10k+ | Output is not escaped | ||
| #1472 | Peter’s Post Notes | 36 | 224 | 102 | 3k+ | Output is not escaped | ||
| #1473 | Photoswipe Masonry Gallery | 36 | 57 | 47 | 6k+ | Non Singular String Literal Text | ||
| #1474 | Post Views Stats Counter | 36 | 142 | 241 | 700 | Non-prefixed global variable | ||
| #1475 | Quick 301 Redirects | 36 | 89 | 120 | 5k+ | Non-prefixed global variable | ||
| #1476 | Rara One Click Demo Import | 36 | 122 | 98 | 20k+ | Missing Translators Comment | ||
| #1477 | Recent Posts | 36 | 106 | 30 | 500 | Text Domain Mismatch | ||
| #1478 | Optimize Database after Deleting Revisions | 36 | 644 | 127 | 60k+ | Output is not escaped | ||
| #1479 | Search Everything | 36 | 165 | 77 | 10k+ | Text Domain Mismatch | ||
| #1480 | Shadowbox JS | 36 | 246 | 14 | 1k+ | Unsafe printing function | ||
| #1481 | Subscribe to Comments | 36 | 129 | 163 | 10k+ | Output is not escaped | ||
| #1482 | Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder | 36 | 162 | 40 | 200k+ | Output is not escaped | ||
| #1483 | The Events Calendar Shortcode & Block | 36 | 70 | 127 | 10k+ | Non-prefixed hook name | ||
| #1484 | Toolbox for Asgaros Forum | 36 | 150 | 84 | 1k+ | Output is not escaped | ||
| #1485 | Zoho ZeptoMail | 36 | 32 | 110 | 5k+ | Request data is not unslashed | ||
| #1486 | Ubigeo de Perú para Woocommerce y WordPress | 36 | 191 | 235 | 4k+ | Non-prefixed function | ||
| #1487 | Uji Countdown | 36 | 284 | 98 | 4k+ | Text Domain Mismatch | ||
| #1488 | Slider Ultimate | 36 | 294 | 80 | 500 | Output is not escaped | ||
| #1489 | underConstruction | 36 | 98 | 60 | 40k+ | Unsafe printing function | ||
| #1490 | PDF Flipbook, WPBakery Addon – Unreal FlipBook | 36 | 400 | 92 | 1k+ | Non Singular String Literal Domain | ||
| #1491 | User Roles and Capabilities | 36 | 227 | 132 | 8k+ | Output is not escaped | ||
| #1492 | Video Thumbnails Reloaded | 36 | 343 | 58 | 2k+ | Text Domain Mismatch | ||
| #1493 | VK Post Author Display | 36 | 87 | 113 | 10k+ | Non-prefixed function | ||
| #1494 | Wanderlust OCA para WooCommerce | 36 | 157 | 55 | 500 | Text Domain Mismatch | ||
| #1495 | Out of Stock Message Manager for WooCommerce | 36 | 293 | 95 | 2k+ | Text Domain Mismatch | ||
| #1496 | WC Pickup Store | 36 | 245 | 52 | 2k+ | Output is not escaped | ||
| #1497 | Quantity Plus Minus Button for WooCommerce | 36 | 83 | 84 | 10k+ | Output is not escaped | ||
| #1498 | Shipping with Venipak for WooCommerce | 36 | 239 | 61 | 1k+ | Text Domain Mismatch | ||
| #1499 | When Last Login | 36 | 52 | 123 | 50k+ | Non-prefixed global variable | ||
| #1500 | Disable Payment Methods based on cart conditions for WooCommerce | 36 | 158 | 57 | 1k+ | Non Singular String Literal Domain |