WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1801Advanced Recent Posts Widget3910521k+Output is not escaped
#1802Advanced Spoiler3910619600Non Singular String Literal Domain
#1803AffiliateWP – Affiliate Area Tabs3986263k+Output is not escaped
#1804Accessibility by AllAccessible39200822k+Unsafe printing function
#1805Animate It!391371620k+Text Domain Mismatch
#1806Archive Control39151671k+Unsafe printing function
#1807Australia Post WooCommerce Extension3999123k+Text Domain Mismatch
#1808Header Footer for Beaver Builder39393110k+Output is not escaped
#1809bbPress Moderation397515500Non Singular String Literal Domain
#1810Benchmark Email Lite3986231k+Output is not escaped
#1811Better Random Redirect398840700Text Domain Mismatch
#1812Better User Search392444700SQL query is not prepared
#1813Billplz for WooCommerce39289656k+Text Domain Mismatch
#1814BIP Pages399825400Short PHP open tag found
#1815Birds Custom Login39196234k+Non Singular String Literal Domain
#1816Blackhole for Bad Bots391236930k+Output is not escaped
#1817Block Editor Bootstrap Blocks3917350900Text Domain Mismatch
#1818BOX NOW Delivery Croatia396499800Missing nonce verification
#1819BST DSGVO Cookie396175k+Unsafe printing function
#1820BuddyPress Default Cover Photo396239500Output is not escaped
#1821BuddyPress Notification Widget395431600Output is not escaped
#1822BugSnag Error Monitoring plugin3952962k+wp function not compatible with requires wp
#1823Bulk NoIndex & NoFollow Toolkit39721722k+Nonce verification recommended
#1824Better WordPress External Links3913035400Non Singular String Literal Domain
#1825Cache Images3972271k+Unsafe printing function
#1826Saitama Addon Pack39152271k+Output is not escaped
#1827Configurable Tag Cloud (CTC)391261212k+Output is not escaped
#1828Contact Form 7 – Dynamic Text Extension3910328100k+Output is not escaped
#1829Content Visibility for Divi Builder39184592k+Non Singular String Literal Domain
#1830Cookies for Comments39222920k+Input is not validated
#1831Country & Phone Field Contact Form 7391173440k+Text Domain Mismatch
#1832Custom Metadata Manager398120700Output is not escaped
#1833Custom Post Order391432400Input is not sanitized
#1834Custom Post Type Parents397518900Output is not escaped
#1835Custom Related Posts39131343k+Output is not escaped
#1836Custom Thank You for WooCommerce3910757400Output is not escaped
#1837Dashboard Cleaner394091500Missing nonce verification
#1838Drip for Gravity Forms394121500Unsafe printing function
#1839Dublin Core Metadata Generator397415900Output is not escaped
#1840WeShareAI – AI-Powered Share Buttons (formerly E-MAILiT)3916524700Unsafe printing function
#1841Caldera Forms styler for Elementor Page Builder3917312700Text Domain Mismatch
#1842Enhanced Admin Bar with Codex Search396431k+Missing Arg Domain
#1843Faster Image Insert3994262k+Output is not escaped
#1844Favorites3918712310k+Unsafe printing function
#1845First Order Discount Woocommerce3955301k+Output is not escaped
#1846Flamix: Bitrix24 and WooCommerce Orders integration398131500Output is not escaped
#1847Floating Action Button39164691k+Unsafe printing function
#1848Gallery Widget3912211500Output is not escaped
#1849GDPRess | Eliminate external requests to increase GDPR compliance3960261k+Output is not escaped
#1850GF Mollie by Indigo398233900Exception output is not escaped