WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1801 | Advanced Recent Posts Widget | 39 | 105 | 2 | 1k+ | Output is not escaped | ||
| #1802 | Advanced Spoiler | 39 | 106 | 19 | 600 | Non Singular String Literal Domain | ||
| #1803 | AffiliateWP – Affiliate Area Tabs | 39 | 86 | 26 | 3k+ | Output is not escaped | ||
| #1804 | Accessibility by AllAccessible | 39 | 200 | 82 | 2k+ | Unsafe printing function | ||
| #1805 | Animate It! | 39 | 137 | 16 | 20k+ | Text Domain Mismatch | ||
| #1806 | Archive Control | 39 | 151 | 67 | 1k+ | Unsafe printing function | ||
| #1807 | Australia Post WooCommerce Extension | 39 | 99 | 12 | 3k+ | Text Domain Mismatch | ||
| #1808 | Header Footer for Beaver Builder | 39 | 39 | 31 | 10k+ | Output is not escaped | ||
| #1809 | bbPress Moderation | 39 | 75 | 15 | 500 | Non Singular String Literal Domain | ||
| #1810 | Benchmark Email Lite | 39 | 86 | 23 | 1k+ | Output is not escaped | ||
| #1811 | Better Random Redirect | 39 | 88 | 40 | 700 | Text Domain Mismatch | ||
| #1812 | Better User Search | 39 | 24 | 44 | 700 | SQL query is not prepared | ||
| #1813 | Billplz for WooCommerce | 39 | 289 | 65 | 6k+ | Text Domain Mismatch | ||
| #1814 | BIP Pages | 39 | 98 | 25 | 400 | Short PHP open tag found | ||
| #1815 | Birds Custom Login | 39 | 196 | 23 | 4k+ | Non Singular String Literal Domain | ||
| #1816 | Blackhole for Bad Bots | 39 | 123 | 69 | 30k+ | Output is not escaped | ||
| #1817 | Block Editor Bootstrap Blocks | 39 | 173 | 50 | 900 | Text Domain Mismatch | ||
| #1818 | BOX NOW Delivery Croatia | 39 | 64 | 99 | 800 | Missing nonce verification | ||
| #1819 | BST DSGVO Cookie | 39 | 61 | 7 | 5k+ | Unsafe printing function | ||
| #1820 | BuddyPress Default Cover Photo | 39 | 62 | 39 | 500 | Output is not escaped | ||
| #1821 | BuddyPress Notification Widget | 39 | 54 | 31 | 600 | Output is not escaped | ||
| #1822 | BugSnag Error Monitoring plugin | 39 | 52 | 96 | 2k+ | wp function not compatible with requires wp | ||
| #1823 | Bulk NoIndex & NoFollow Toolkit | 39 | 72 | 172 | 2k+ | Nonce verification recommended | ||
| #1824 | Better WordPress External Links | 39 | 130 | 35 | 400 | Non Singular String Literal Domain | ||
| #1825 | Cache Images | 39 | 72 | 27 | 1k+ | Unsafe printing function | ||
| #1826 | Saitama Addon Pack | 39 | 152 | 27 | 1k+ | Output is not escaped | ||
| #1827 | Configurable Tag Cloud (CTC) | 39 | 126 | 121 | 2k+ | Output is not escaped | ||
| #1828 | Contact Form 7 – Dynamic Text Extension | 39 | 103 | 28 | 100k+ | Output is not escaped | ||
| #1829 | Content Visibility for Divi Builder | 39 | 184 | 59 | 2k+ | Non Singular String Literal Domain | ||
| #1830 | Cookies for Comments | 39 | 22 | 29 | 20k+ | Input is not validated | ||
| #1831 | Country & Phone Field Contact Form 7 | 39 | 117 | 34 | 40k+ | Text Domain Mismatch | ||
| #1832 | Custom Metadata Manager | 39 | 81 | 20 | 700 | Output is not escaped | ||
| #1833 | Custom Post Order | 39 | 14 | 32 | 400 | Input is not sanitized | ||
| #1834 | Custom Post Type Parents | 39 | 75 | 18 | 900 | Output is not escaped | ||
| #1835 | Custom Related Posts | 39 | 131 | 34 | 3k+ | Output is not escaped | ||
| #1836 | Custom Thank You for WooCommerce | 39 | 107 | 57 | 400 | Output is not escaped | ||
| #1837 | Dashboard Cleaner | 39 | 40 | 91 | 500 | Missing nonce verification | ||
| #1838 | Drip for Gravity Forms | 39 | 41 | 21 | 500 | Unsafe printing function | ||
| #1839 | Dublin Core Metadata Generator | 39 | 74 | 15 | 900 | Output is not escaped | ||
| #1840 | WeShareAI – AI-Powered Share Buttons (formerly E-MAILiT) | 39 | 165 | 24 | 700 | Unsafe printing function | ||
| #1841 | Caldera Forms styler for Elementor Page Builder | 39 | 173 | 12 | 700 | Text Domain Mismatch | ||
| #1842 | Enhanced Admin Bar with Codex Search | 39 | 64 | 3 | 1k+ | Missing Arg Domain | ||
| #1843 | Faster Image Insert | 39 | 94 | 26 | 2k+ | Output is not escaped | ||
| #1844 | Favorites | 39 | 187 | 123 | 10k+ | Unsafe printing function | ||
| #1845 | First Order Discount Woocommerce | 39 | 55 | 30 | 1k+ | Output is not escaped | ||
| #1846 | Flamix: Bitrix24 and WooCommerce Orders integration | 39 | 81 | 31 | 500 | Output is not escaped | ||
| #1847 | Floating Action Button | 39 | 164 | 69 | 1k+ | Unsafe printing function | ||
| #1848 | Gallery Widget | 39 | 122 | 11 | 500 | Output is not escaped | ||
| #1849 | GDPRess | Eliminate external requests to increase GDPR compliance | 39 | 60 | 26 | 1k+ | Output is not escaped | ||
| #1850 | GF Mollie by Indigo | 39 | 82 | 33 | 900 | Exception output is not escaped |