WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1701Greek Multi Tool – Greeklish Slugs, Permalinks & Transliteration38160821k+Unsafe printing function
#1702HashThemes Demo Importer3871446k+Output is not escaped
#1703CAOS | Host Google Analytics Locally381244410k+Output is not escaped
#1704Illdy Companion38187236k+Output is not escaped
#1705Import to Photo Gallery from NextGen gallery388083400Direct Query
#1706Coding Chicken – JetEngine Importer385529400Missing direct file access protection
#1707Insert PHP Code Snippet3816422790k+Output is not escaped
#17083D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery383537780k+Non Singular String Literal Domain
#1709JC Submenu38279324k+Output is not escaped
#1710Jock On Air Now (JOAN)38121224500Output is not escaped
#1711jQuery Pin It Button for Images381293610k+Output is not escaped
#1712Lana Downloads Manager38146783k+Unsafe printing function
#1713Lightning Advanced Unit38189273k+Output is not escaped
#1714Migrate Store: Export and Import WooCommerce Settings3837331k+Non-prefixed global variable
#1715Monetag Official Plugin38133325k+Text Domain Mismatch
#1716Most And Least Read Posts Widget38130241k+Output is not escaped
#1717MultiLine Files for Contact Form 73898409k+Text Domain Mismatch
#1718Name Directory385203092k+Output is not escaped
#1719Note – A live edit text widget38118491k+Output is not escaped
#1720One Click Order Re-Order38139631k+Non Singular String Literal Domain
#1721Open Graphite383802043k+Unsafe printing function
#1722Page Links To383140100k+Unsafe printing function
#1723PayTR Taksit Tablosu – WooCommerce3867393k+Non Singular String Literal Domain
#1724PDF Catalog for WooCommerce3830461k+Nonce verification recommended
#1725Podlove Subscribe button38148452k+Output is not escaped
#1726Polaroid Gallery38105201k+Unsafe printing function
#1727PopCash Code Integration Tool3877109400Nonce verification recommended
#1728Popular Posts by Webline3825681k+Output is not escaped
#1729Popular Widget386130700Unsafe printing function
#1730Post views Stats3837511k+Non-prefixed global variable
#1731PostLinks3810710700Output is not escaped
#1732qTranslate META388826400Output is not escaped
#1733qTranslate X Cleanup and WPML Import38167102800Text Domain Mismatch
#1734RDP Wiki Embed386926400Output is not escaped
#1735Recent Posts Plus3811141k+Output is not escaped
#1736WP REST API – OAuth 1.0a Server38100858k+Text Domain Mismatch
#1737Like This3860171k+Output is not escaped
#1738RSS Feed Widget38207892k+Unsafe printing function
#1739Invoice1233813988400Text Domain Mismatch
#1740Schema App Structured Data3835867k+Nonce verification recommended
#1741Shutter Reloaded38194951k+Text Domain Mismatch
#1742Simple Expires383239500Non Singular String Literal Domain
#1743Simple Google Sitemap XML383882k+Output is not escaped
#1744SimpleShop3852511k+date date
#1745Slickstream: Engagement and Conversions38100192k+Output is not escaped
#1746Social Icons38728310k+Output is not escaped
#1747SOGO Accessibility38147405k+Non Singular String Literal Domain
#1748SRS Simple Hits Counter3843988k+Output is not escaped
#1749Standout CSS3 Buttons3818315500Output is not escaped
#1750Stock Market News387111500Output is not escaped