WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1901Serial Number for Contact Form 739105532k+Non Singular String Literal Domain
#1902Taxonomy Thumbnail3927583k+Non-prefixed function
#1903Shipping by Rules for WooCommerce3913048500Output is not escaped
#1904Show All Comments3910892400Nonce verification recommended
#1905Simple Membership WP user Import3922464k+Request data is not unslashed
#1906Simple Posts Ticker – Easy, Lightweight & Flexible39151282k+Output is not escaped
#1907SimpleModal Login395012700Unsafe printing function
#1908Slider Text Scroll399552400Text Domain Mismatch
#1909SMTP395415700Non Singular String Literal Domain
#1910Soumettre.fr391302610k+Text Domain Mismatch
#1911Stock Ticker3992492k+Output is not escaped
#1912Stockdio Historical Chart396516800Output is not escaped
#1913Substack Importer3933331k+Missing nonce verification
#1914Swifty Image Widget3911428900Output is not escaped
#1915Sydney Toolbox39846250k+Unsafe printing function
#1916Sync Post With Other Site39179213k+Non Singular String Literal Domain
#1917Tabify Edit Screen398327500Output is not escaped
#1918Easy Category Icons395043600Text Domain Mismatch
#1919OpenHook39172221k+Unsafe printing function
#1920TinyMCE Custom Styles39297767k+Non Singular String Literal Domain
#1921TinyMCE Spellcheck3927322k+Unsafe printing function
#1922TomS reCAPTCHA39128256500Missing nonce verification
#1923Ultimate Client Dash39697122k+Text Domain Mismatch
#1924Ultimate Lightbox39110591k+Unsafe printing function
#1925Universal Google Adsense and Ads manager3970312k+Unsafe printing function
#1926upPrev3935361k+Dynamic hook name
#1927UserHeat Plugin39121206k+Non Singular String Literal Domain
#1928Accessibility by UserWay39223580k+Direct Query
#1929BeGateway Payment Gateway for WooCommerce395744400Unsafe printing function
#1930Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types398911720k+Unsafe printing function
#1931Claudio Sanches – PagSeguro for WooCommerce39873710k+Unsafe printing function
#1932WooCommerce Product Dependencies3944603k+Missing nonce verification
#1933Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools39322668k+Output is not escaped
#1934WP Accessibility3920010460k+Unsafe printing function
#1935Aparat for WordPress3959143k+Output is not escaped
#1936WP Attachments3949443k+Output is not escaped
#1937WP-Cycle3953173k+Output is not escaped
#1938WP Gmail SMTP3999501k+Text Domain Mismatch
#1939WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload39592710k+Unsafe printing function
#1940WP Realtime Sitemap39464110k+Output is not escaped
#1941WP Revision Master399629900Text Domain Mismatch
#1942WP SendGrid SMTP3999501k+Text Domain Mismatch
#1943WP Sitemap Control393137400Output is not escaped
#1944WP-Slimbox2 Plugin3977193k+Unsafe printing function
#1945WP Social Widget3923974k+Output is not escaped
#1946SEO Auto Linker3997623k+Unsafe printing function
#1947Categories to Tags Converter39863850k+Output is not escaped
#1948WPS Child Theme Generator39111856k+Unsafe printing function
#1949WPS Limit Login3915276100k+Output is not escaped
#1950Yandex Metrica39924620k+Output is not escaped