WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1751 | Stock Market Overview | 38 | 86 | 14 | 1k+ | Output is not escaped | ||
| #1752 | Stock Market Ticker | 38 | 69 | 14 | 3k+ | Output is not escaped | ||
| #1753 | Stock Quotes List | 38 | 72 | 13 | 600 | Output is not escaped | ||
| #1754 | Subscriptions & Memberships for PayPal | 38 | 73 | 237 | 900 | Request data is not unslashed | ||
| #1755 | Super Simple Slider | 38 | 55 | 55 | 1k+ | Non-prefixed global variable | ||
| #1756 | Swiper Js Slider | 38 | 125 | 35 | 400 | Output is not escaped | ||
| #1757 | Tag Manager – Header, Body And Footer | 38 | 97 | 319 | 20k+ | Non-prefixed global variable | ||
| #1758 | Logo Slider , Logo Carousel , Logo showcase , Client Logo | 38 | 72 | 22 | 1k+ | Output is not escaped | ||
| #1759 | Templatiq | 38 | 31 | 94 | 900 | Non-prefixed hook name | ||
| #1760 | Product Compare for WooCommerce | 38 | 55 | 191 | 3k+ | Non-prefixed global variable | ||
| #1761 | Theme Blvd Widget Pack | 38 | 240 | 17 | 1k+ | Output is not escaped | ||
| #1762 | TopList.cz | 38 | 138 | 7 | 400 | Output is not escaped | ||
| #1763 | Sidebar Login Widget | 38 | 90 | 16 | 700 | Output is not escaped | ||
| #1764 | Twenty Eleven Theme Extensions | 38 | 35 | 30 | 3k+ | Output is not escaped | ||
| #1765 | Twiget Twitter Widget | 38 | 147 | 36 | 500 | Output is not escaped | ||
| #1766 | Twitter for WordPress | 38 | 47 | 24 | 1k+ | Output is not escaped | ||
| #1767 | TypePad emoji for TinyMCE | 38 | 100 | 24 | 8k+ | Text Domain Mismatch | ||
| #1768 | User Specific Content | 38 | 143 | 19 | 1k+ | Text Domain Mismatch | ||
| #1769 | Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend | 38 | 84 | 49 | 1k+ | Output is not escaped | ||
| #1770 | TWIPLA (Visitor Analytics IO) – Privacy-First Website Stats, Session Recordings, Heatmaps, Polls and Surveys | 38 | 71 | 49 | 900 | Output is not escaped | ||
| #1771 | Shipping Packages for WooCommerce – Dropship from multiple locations like AliExpress, eBay, Amazon, Etsy | 38 | 94 | 26 | 900 | Non Singular String Literal Domain | ||
| #1772 | WDV About Me Widget | 38 | 150 | 8 | 900 | Output is not escaped | ||
| #1773 | White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard | 38 | 205 | 31 | 10k+ | Output is not escaped | ||
| #1774 | Products Coming Soon for WooCommerce | 38 | 151 | 62 | 700 | Output is not escaped | ||
| #1775 | Show Stock Status for WooCommerce | 38 | 30 | 19 | 1k+ | Output is not escaped | ||
| #1776 | Vietnam Checkout for WooCommerce | 38 | 93 | 137 | 10k+ | Nonce verification recommended | ||
| #1777 | WP Hebrew Date | 38 | 102 | 13 | 600 | Output is not escaped | ||
| #1778 | WP 404 Auto Redirect to Similar Post | 38 | 166 | 48 | 30k+ | Text Domain Mismatch | ||
| #1779 | WP Accessibility Helper (WAH) | 38 | 61 | 88 | 10k+ | Missing direct file access protection | ||
| #1780 | WP-Ban | 38 | 99 | 108 | 8k+ | Unsafe printing function | ||
| #1781 | WP-CommentNavi | 38 | 68 | 46 | 700 | Output is not escaped | ||
| #1782 | WP Content Copy Protection with Color Design | 38 | 96 | 61 | 5k+ | Non Singular String Literal Domain | ||
| #1783 | WP-DraftsForFriends | 38 | 141 | 71 | 1k+ | Output is not escaped | ||
| #1784 | WP Mail SMTP SendGrid Edition | 38 | 102 | 19 | 500 | Text Domain Mismatch | ||
| #1785 | WP Mailgun SMTP | 38 | 99 | 51 | 900 | Text Domain Mismatch | ||
| #1786 | WP Maintenance Mode & Site Under Construction | 38 | 72 | 57 | 3k+ | Output is not escaped | ||
| #1787 | WP Media Categories | 38 | 40 | 103 | 800 | Nonce verification recommended | ||
| #1788 | mb.miniAudioPlayer – an HTML5 audio player for your mp3 files | 38 | 204 | 6 | 4k+ | Unsafe printing function | ||
| #1789 | WP Redirects – Contact Form 7 | 38 | 50 | 71 | 400 | Unsafe printing function | ||
| #1790 | WP-ServerInfo | 38 | 162 | 55 | 10k+ | Output is not escaped | ||
| #1791 | External Store for Shopify | 38 | 97 | 33 | 2k+ | Output is not escaped | ||
| #1792 | WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups | 38 | 299 | 58 | 3k+ | Non Singular String Literal Domain | ||
| #1793 | WP Video Lightbox | 38 | 107 | 67 | 30k+ | Unsafe printing function | ||
| #1794 | mb.YTPlayer for background videos | 38 | 80 | 29 | 1k+ | Unsafe printing function | ||
| #1795 | ZeroBounce Email Verification & Validation | 38 | 299 | 162 | 900 | Text Domain Mismatch | ||
| #1796 | Accounting for WooCommerce | 39 | 87 | 115 | 500 | Unsafe printing function | ||
| #1797 | ACF: Google Font Selector | 39 | 57 | 45 | 3k+ | Output is not escaped | ||
| #1798 | ACF Recent Posts Widget | 39 | 260 | 16 | 500 | Output is not escaped | ||
| #1799 | Admin Custom Font | 39 | 34 | 25 | 1k+ | Unsafe printing function | ||
| #1800 | Advanced Categories Widget | 39 | 170 | 41 | 800 | Output is not escaped |