WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1851 | Gift Up Gift Cards for WordPress and WooCommerce | 39 | 94 | 60 | 5k+ | Output is not escaped | ||
| #1852 | GL Import External Images | 39 | 118 | 19 | 800 | wp function not compatible with requires wp | ||
| #1853 | Google Calendar Widget | 39 | 82 | 11 | 700 | Output is not escaped | ||
| #1854 | GoSMTP – SMTP for WordPress | 39 | 59 | 42 | 500k+ | Output is not escaped | ||
| #1855 | Gravity Slider Fields | 39 | 56 | 36 | 2k+ | Text Domain Mismatch | ||
| #1856 | GS Only PDF Preview | 39 | 46 | 36 | 1k+ | Output is not escaped | ||
| #1857 | HD Quiz | 39 | 252 | 82 | 7k+ | Output is not escaped | ||
| #1858 | Hide My WP Lite | 39 | 24 | 62 | 400 | Nonce verification recommended | ||
| #1859 | HTML5 Cumulus | 39 | 132 | 33 | 1k+ | Output is not escaped | ||
| #1860 | HW Image Widget | 39 | 138 | 41 | 1k+ | Output is not escaped | ||
| #1861 | If Menu – Visibility control for Menus | 39 | 281 | 63 | 50k+ | Output is not escaped | ||
| #1862 | Image Carousel | 39 | 164 | 18 | 1k+ | Output is not escaped | ||
| #1863 | Image Watermark WP | 39 | 88 | 82 | 600 | Output is not escaped | ||
| #1864 | Improved Save Button | 39 | 44 | 52 | 4k+ | Missing Translators Comment | ||
| #1865 | Insert Html Snippet | 39 | 159 | 205 | 20k+ | Output is not escaped | ||
| #1866 | JetGridBuilder — Grid Builder for Elementor and Gutenberg | 39 | 414 | 40 | 4k+ | Text Domain Mismatch | ||
| #1867 | Korea SNS | 39 | 88 | 30 | 4k+ | Unsafe printing function | ||
| #1868 | Library Viewer | 39 | 65 | 93 | 400 | Non-prefixed hook name | ||
| #1869 | linkPizza-Manager | 39 | 46 | 23 | 700 | Exception output is not escaped | ||
| #1870 | Logo Showcase – Logo Slider, Carousel & Sponsors Gallery | 39 | 535 | 98 | 1k+ | Text Domain Mismatch | ||
| #1871 | Logo Showcase – Carousel, Slider, Grid & List for WordPress | 39 | 123 | 160 | 400 | Unsafe printing function | ||
| #1872 | MailChimp Add-On for FormCraft | 39 | 56 | 29 | 800 | curl curl setopt | ||
| #1873 | Manage Enrollment for LearnDash | 39 | 48 | 79 | 400 | Unsafe printing function | ||
| #1874 | Map Categories to Pages | 39 | 48 | 13 | 700 | Output is not escaped | ||
| #1875 | Mascaras CF7 | 39 | 54 | 16 | 1k+ | Text Domain Mismatch | ||
| #1876 | Meks Easy Photo Feed Widget | 39 | 77 | 27 | 10k+ | Output is not escaped | ||
| #1877 | Menubar | 39 | 171 | 46 | 1k+ | Output is not escaped | ||
| #1878 | Zen Feed | 39 | 39 | 22 | 400 | Output is not escaped | ||
| #1879 | Mizan Demo Importer | 39 | 31 | 68 | 1k+ | Missing Version | ||
| #1880 | Modal Dialog | 39 | 64 | 64 | 500 | Output is not escaped | ||
| #1881 | Movable Type and TypePad Importer | 39 | 42 | 25 | 20k+ | Output is not escaped | ||
| #1882 | Multilingual Contact Form 7 with Polylang | 39 | 50 | 30 | 9k+ | Text Domain Mismatch | ||
| #1883 | NextGEN Download Gallery | 39 | 57 | 21 | 2k+ | Short PHP open tag found | ||
| #1884 | Open Graph Pro | 39 | 52 | 13 | 1k+ | Output is not escaped | ||
| #1885 | SOGO Add Script to Individual Pages Header Footer | 39 | 74 | 40 | 20k+ | Output is not escaped | ||
| #1886 | Page List Widget | 39 | 150 | 6 | 400 | Output is not escaped | ||
| #1887 | Designil PDPA Thailand | 39 | 131 | 36 | 3k+ | Output is not escaped | ||
| #1888 | PO/MO Editor | 39 | 106 | 45 | 1k+ | Unsafe printing function | ||
| #1889 | Posts By Tag | 39 | 151 | 30 | 1k+ | Output is not escaped | ||
| #1890 | Privilege Menu | 39 | 215 | 49 | 1k+ | Text Domain Mismatch | ||
| #1891 | Quantcast Choice | 39 | 227 | 11 | 3k+ | Text Domain Mismatch | ||
| #1892 | Simple Webchat | 39 | 142 | 204 | 1k+ | Output is not escaped | ||
| #1893 | Radio Buttons for Taxonomies | 39 | 40 | 24 | 20k+ | Output is not escaped | ||
| #1894 | Really Simple Gallery Widget | 39 | 114 | 90 | 700 | Non-prefixed global variable | ||
| #1895 | Recent Posts with Excerpts | 39 | 138 | 2 | 700 | Output is not escaped | ||
| #1896 | Redirect 404 Error Page to Homepage or Custom Page with Logs | 39 | 27 | 53 | 10k+ | Nonce verification recommended | ||
| #1897 | Responsify WP | 39 | 90 | 11 | 600 | Unsafe printing function | ||
| #1898 | REST API Helper | 39 | 108 | 85 | 500 | Unsafe printing function | ||
| #1899 | Royal Mail Shipping Calculator for WooCommerce | 39 | 61 | 31 | 1k+ | Text Domain Mismatch | ||
| #1900 | Scripts n Styles | 39 | 150 | 92 | 30k+ | Output is not escaped |