WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1651 | Advanced Product Search For WooCommerce | 38 | 160 | 38 | 4k+ | Text Domain Mismatch | ||
| #1652 | Advanced Sermons | 38 | 833 | 184 | 1k+ | Unsafe printing function | ||
| #1653 | Afterpay Gateway for WooCommerce | 38 | 183 | 62 | 10k+ | Text Domain Mismatch | ||
| #1654 | AK Featured Post Widget | 38 | 135 | 4 | 400 | Output is not escaped | ||
| #1655 | Alphabetic Pagination | 38 | 144 | 117 | 500 | Unsafe printing function | ||
| #1656 | Announce from the Dashboard | 38 | 138 | 24 | 7k+ | Non Singular String Literal Domain | ||
| #1657 | Announcement Bar | 38 | 192 | 61 | 3k+ | Non Singular String Literal Domain | ||
| #1658 | Any Mobile Theme Switcher | 38 | 69 | 59 | 20k+ | Output is not escaped | ||
| #1659 | Activity Log – Monitor & Record User Changes | 38 | 81 | 149 | 200k+ | Nonce verification recommended | ||
| #1660 | Attachments | 38 | 238 | 66 | 8k+ | Unsafe printing function | ||
| #1661 | Author Category | 38 | 85 | 25 | 4k+ | Output is not escaped | ||
| #1662 | Autologin Links | 38 | 73 | 74 | 8k+ | Output is not escaped | ||
| #1663 | Beauty Form Styler for Gravity Forms | 38 | 70 | 93 | 600 | Output is not escaped | ||
| #1664 | Before After Image Comparison Slider for Elementor | 38 | 63 | 36 | 10k+ | Text Domain Mismatch | ||
| #1665 | Bible Verse of the Day | 38 | 378 | 23 | 3k+ | Unsafe printing function | ||
| #1666 | Blogger Importer | 38 | 44 | 39 | 50k+ | Output is not escaped | ||
| #1667 | BuddyPress Follow | 38 | 114 | 67 | 1k+ | Text Domain Mismatch | ||
| #1668 | CC Child Pages | 38 | 63 | 152 | 9k+ | Non-prefixed global variable | ||
| #1669 | WPAppsDev – CF7 Form Submission Limit | 38 | 104 | 33 | 1k+ | Text Domain Mismatch | ||
| #1670 | Contact Form 7 – Post Fields | 38 | 167 | 25 | 3k+ | Text Domain Mismatch | ||
| #1671 | CF7 to Webhook | 38 | 102 | 72 | 30k+ | Unsafe printing function | ||
| #1672 | Classic Editor Plus – WordPress Classic Editor plugin by Felix | 38 | 83 | 42 | 500 | Text Domain Mismatch | ||
| #1673 | Clever Mega Menu for Visual Composer | 38 | 500 | 87 | 1k+ | Output is not escaped | ||
| #1674 | Clever Mega Menu for Elementor | 38 | 835 | 44 | 1k+ | Output is not escaped | ||
| #1675 | Chatbot for WordPress by Collect.chat ⚡️ | 38 | 58 | 36 | 6k+ | Unsafe printing function | ||
| #1676 | Colorlib 404 Customizer | 38 | 65 | 15 | 5k+ | Missing direct file access protection | ||
| #1677 | Country Code Selector | 38 | 91 | 20 | 1k+ | Unsafe printing function | ||
| #1678 | country-redirect | 38 | 58 | 19 | 400 | Text Domain Mismatch | ||
| #1679 | Custom Menu Wizard Widget | 38 | 326 | 30 | 2k+ | Output is not escaped | ||
| #1680 | WP Page Templates | 38 | 92 | 28 | 400 | Non Singular String Literal Domain | ||
| #1681 | Custom post type templates for Elementor | 38 | 289 | 33 | 700 | Text Domain Mismatch | ||
| #1682 | Login Page Customizer – Customize Login Screen & Branding | 38 | 36 | 172 | 1k+ | Non-prefixed function | ||
| #1683 | Datafeedr Comparison Sets | 38 | 450 | 53 | 3k+ | Output is not escaped | ||
| #1684 | Datafeedr WooCommerce Importer | 38 | 112 | 56 | 5k+ | Text Domain Mismatch | ||
| #1685 | Availability Datepicker – Booking Calendar for Contact Form 7 – Input WP | 38 | 344 | 30 | 20k+ | Text Domain Mismatch | ||
| #1686 | Responsive Pricing Table | 38 | 309 | 105 | 10k+ | Non Singular String Literal Domain | ||
| #1687 | Easy Yandex Metrica | 38 | 97 | 48 | 900 | Output is not escaped | ||
| #1688 | Erident Custom Login and Dashboard | 38 | 122 | 28 | 8k+ | Unsafe printing function | ||
| #1689 | EU Cookie Law Compliance | 38 | 151 | 22 | 2k+ | Non Singular String Literal Domain | ||
| #1690 | Export to Blogger | 38 | 47 | 117 | 900 | Non-prefixed global variable | ||
| #1691 | Export User Data | 38 | 187 | 62 | 6k+ | Text Domain Mismatch | ||
| #1692 | Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds | 38 | 167 | 82 | 40k+ | Output is not escaped | ||
| #1693 | Social Photo Fetcher | 38 | 151 | 43 | 1k+ | Output is not escaped | ||
| #1694 | Social Shop for WooCommerce | 38 | 51 | 24 | 800 | Output is not escaped | ||
| #1695 | Responsive WordPress Slider – HG Slider | 38 | 67 | 75 | 7k+ | Missing nonce verification | ||
| #1696 | Foyer – Digital Signage for WordPress | 38 | 148 | 191 | 1k+ | Non-prefixed global variable | ||
| #1697 | Gecka Submenu | 38 | 326 | 36 | 3k+ | Output is not escaped | ||
| #1698 | GiveWP Donation Widgets for Elementor | 38 | 483 | 13 | 7k+ | Text Domain Mismatch | ||
| #1699 | GoDaddy Payments for WooCommerce | 38 | 58 | 65 | 2k+ | Output is not escaped | ||
| #1700 | GoodBarber | 38 | 38 | 73 | 1k+ | Nonce verification recommended |