WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1651Advanced Product Search For WooCommerce38160384k+Text Domain Mismatch
#1652Advanced Sermons388331841k+Unsafe printing function
#1653Afterpay Gateway for WooCommerce381836210k+Text Domain Mismatch
#1654AK Featured Post Widget381354400Output is not escaped
#1655Alphabetic Pagination38144117500Unsafe printing function
#1656Announce from the Dashboard38138247k+Non Singular String Literal Domain
#1657Announcement Bar38192613k+Non Singular String Literal Domain
#1658Any Mobile Theme Switcher38695920k+Output is not escaped
#1659Activity Log – Monitor & Record User Changes3881149200k+Nonce verification recommended
#1660Attachments38238668k+Unsafe printing function
#1661Author Category3885254k+Output is not escaped
#1662Autologin Links3873748k+Output is not escaped
#1663Beauty Form Styler for Gravity Forms387093600Output is not escaped
#1664Before After Image Comparison Slider for Elementor38633610k+Text Domain Mismatch
#1665Bible Verse of the Day38378233k+Unsafe printing function
#1666Blogger Importer38443950k+Output is not escaped
#1667BuddyPress Follow38114671k+Text Domain Mismatch
#1668CC Child Pages38631529k+Non-prefixed global variable
#1669WPAppsDev – CF7 Form Submission Limit38104331k+Text Domain Mismatch
#1670Contact Form 7 – Post Fields38167253k+Text Domain Mismatch
#1671CF7 to Webhook381027230k+Unsafe printing function
#1672Classic Editor Plus – WordPress Classic Editor plugin by Felix388342500Text Domain Mismatch
#1673Clever Mega Menu for Visual Composer38500871k+Output is not escaped
#1674Clever Mega Menu for Elementor38835441k+Output is not escaped
#1675Chatbot for WordPress by Collect.chat ⚡️3858366k+Unsafe printing function
#1676Colorlib 404 Customizer3865155k+Missing direct file access protection
#1677Country Code Selector3891201k+Unsafe printing function
#1678country-redirect385819400Text Domain Mismatch
#1679Custom Menu Wizard Widget38326302k+Output is not escaped
#1680WP Page Templates389228400Non Singular String Literal Domain
#1681Custom post type templates for Elementor3828933700Text Domain Mismatch
#1682Login Page Customizer – Customize Login Screen & Branding38361721k+Non-prefixed function
#1683Datafeedr Comparison Sets38450533k+Output is not escaped
#1684Datafeedr WooCommerce Importer38112565k+Text Domain Mismatch
#1685Availability Datepicker – Booking Calendar for Contact Form 7 – Input WP383443020k+Text Domain Mismatch
#1686Responsive Pricing Table3830910510k+Non Singular String Literal Domain
#1687Easy Yandex Metrica389748900Output is not escaped
#1688Erident Custom Login and Dashboard38122288k+Unsafe printing function
#1689EU Cookie Law Compliance38151222k+Non Singular String Literal Domain
#1690Export to Blogger3847117900Non-prefixed global variable
#1691Export User Data38187626k+Text Domain Mismatch
#1692Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds381678240k+Output is not escaped
#1693Social Photo Fetcher38151431k+Output is not escaped
#1694Social Shop for WooCommerce385124800Output is not escaped
#1695Responsive WordPress Slider – HG Slider3867757k+Missing nonce verification
#1696Foyer – Digital Signage for WordPress381481911k+Non-prefixed global variable
#1697Gecka Submenu38326363k+Output is not escaped
#1698GiveWP Donation Widgets for Elementor38483137k+Text Domain Mismatch
#1699GoDaddy Payments for WooCommerce3858652k+Output is not escaped
#1700GoodBarber3838731k+Nonce verification recommended