WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1501Disable Payment Methods based on cart conditions for WooCommerce36158571k+Non Singular String Literal Domain
#1502Guaranteed Reviews Company (Société des Avis Garantis)363691971k+Output is not escaped
#1503Extended Coupon Features for WooCommerce FREE362196310k+Text Domain Mismatch
#1504CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce36165695k+Text Domain Mismatch
#1505WP-Cleanup367929400Output is not escaped
#1506WP-EMail36340951k+Unsafe printing function
#1507WP Header Images361741336k+Unsafe printing function
#1508WP Hotel Booking WooCommerce3693991k+Output is not escaped
#1509WP LaTeX3610312700Output is not escaped
#1510WP Mail36202201500Output is not escaped
#1511Payment Button for PayPal36155864k+Unsafe printing function
#1512WP Publication Archive3619764400Text Domain Mismatch
#1513WP Responsive Menu3629513930k+Text Domain Mismatch
#1514WP Hardening (discontinued)362308510k+Text Domain Mismatch
#1515WP Show Posts3610710270k+Output is not escaped
#1516WP Sort Order361342116k+Direct Query
#1517WP Stripe Checkout361981181k+Unsafe printing function
#1518Yandex.Metrica36763060k+Output is not escaped
#1519WPAvatar3642545700Unsafe printing function
#1520WPLMS H5P361111061k+Text Domain Mismatch
#1521Database Snapshots – WPvivid36661081k+Direct Query
#1522Custom Product Tabs for WooCommerce36878180k+Output is not escaped
#1523360 Javascript Viewer37144221k+Output is not escaped
#1524ACF: TablePress37160451k+Text Domain Mismatch
#1525Add From Server37522060k+Output is not escaped
#1526AddToAny Share Buttons37123164300k+Unsafe printing function
#1527Advanced Custom Fields: NextGEN Gallery Field add-on3713120400Output is not escaped
#1528Agreeable374067800Unsafe printing function
#1529Analytics Spam Blocker377622800Unsafe printing function
#1530Anything Popup371641852k+Non-prefixed global variable
#1531Async JavaScript373577970k+Unsafe printing function
#1532Async JS and CSS37901700Text Domain Mismatch
#1533AZAN Plugin374430500Output is not escaped
#1534Banhammer – Monitor Site Traffic, Block Bad Users and Bots371041741k+Output is not escaped
#1535Bellows Accordion Menu371602810k+Text Domain Mismatch
#1536Better Click To Share – Shareable Quote Boxes for X (Twitter)37170596k+Unsafe printing function
#1537Blimply3717243800Text Domain Mismatch
#1538BuddyPress Members Only37184801k+Text Domain Mismatch
#1539Contact Zalo Report SW374439900Missing Arg Domain
#1540Catalog Booster & Product Catalog Mode for WooCommerce371061681k+Non-prefixed function
#1541Checkout for PayPal3713467600Unsafe printing function
#1542Clearpay Gateway for WooCommerce37185631k+Text Domain Mismatch
#1543CodePeople Post Map for Google Maps37257313k+Unsafe printing function
#1544Lightweight Subscribe To Comments37105701k+Unsafe printing function
#1545Constant Contact Forms by MailMunch37147532k+wp function not compatible with requires wp
#1546Crafty Social Buttons3727927900Non Singular String Literal Domain
#1547Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter3715161600Output is not escaped
#1548Simple Custom CSS and JS3716869600k+Output is not escaped
#1549Custom Post Template37483010k+Output is not escaped
#1550DSGVO/GDPR Cookies, DSE, Impressum & Google Fonts Proxy3739125700Text Domain Mismatch