WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1851Gift Up Gift Cards for WordPress and WooCommerce3994605k+Output is not escaped
#1852GL Import External Images3911819800wp function not compatible with requires wp
#1853Google Calendar Widget398211700Output is not escaped
#1854GoSMTP – SMTP for WordPress395942500k+Output is not escaped
#1855Gravity Slider Fields3956362k+Text Domain Mismatch
#1856GS Only PDF Preview3946361k+Output is not escaped
#1857HD Quiz39252827k+Output is not escaped
#1858Hide My WP Lite392462400Nonce verification recommended
#1859HTML5 Cumulus39132331k+Output is not escaped
#1860HW Image Widget39138411k+Output is not escaped
#1861If Menu – Visibility control for Menus392816350k+Output is not escaped
#1862Image Carousel39164181k+Output is not escaped
#1863Image Watermark WP398882600Output is not escaped
#1864Improved Save Button3944524k+Missing Translators Comment
#1865Insert Html Snippet3915920520k+Output is not escaped
#1866JetGridBuilder — Grid Builder for Elementor and Gutenberg39414404k+Text Domain Mismatch
#1867Korea SNS3988304k+Unsafe printing function
#1868Library Viewer396593400Non-prefixed hook name
#1869linkPizza-Manager394623700Exception output is not escaped
#1870Logo Showcase – Logo Slider, Carousel & Sponsors Gallery39535981k+Text Domain Mismatch
#1871Logo Showcase – Carousel, Slider, Grid & List for WordPress39123160400Unsafe printing function
#1872MailChimp Add-On for FormCraft395629800curl curl setopt
#1873Manage Enrollment for LearnDash394879400Unsafe printing function
#1874Map Categories to Pages394813700Output is not escaped
#1875Mascaras CF73954161k+Text Domain Mismatch
#1876Meks Easy Photo Feed Widget39772710k+Output is not escaped
#1877Menubar39171461k+Output is not escaped
#1878Zen Feed393922400Output is not escaped
#1879Mizan Demo Importer3931681k+Missing Version
#1880Modal Dialog396464500Output is not escaped
#1881Movable Type and TypePad Importer39422520k+Output is not escaped
#1882Multilingual Contact Form 7 with Polylang3950309k+Text Domain Mismatch
#1883NextGEN Download Gallery3957212k+Short PHP open tag found
#1884Open Graph Pro3952131k+Output is not escaped
#1885SOGO Add Script to Individual Pages Header Footer39744020k+Output is not escaped
#1886Page List Widget391506400Output is not escaped
#1887Designil PDPA Thailand39131363k+Output is not escaped
#1888PO/MO Editor39106451k+Unsafe printing function
#1889Posts By Tag39151301k+Output is not escaped
#1890Privilege Menu39215491k+Text Domain Mismatch
#1891Quantcast Choice39227113k+Text Domain Mismatch
#1892Simple Webchat391422041k+Output is not escaped
#1893Radio Buttons for Taxonomies39402420k+Output is not escaped
#1894Really Simple Gallery Widget3911490700Non-prefixed global variable
#1895Recent Posts with Excerpts391382700Output is not escaped
#1896Redirect 404 Error Page to Homepage or Custom Page with Logs39275310k+Nonce verification recommended
#1897Responsify WP399011600Unsafe printing function
#1898REST API Helper3910885500Unsafe printing function
#1899Royal Mail Shipping Calculator for WooCommerce3961311k+Text Domain Mismatch
#1900Scripts n Styles391509230k+Output is not escaped