WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1951YITH Custom Login3986335k+Output is not escaped
#1952You can quote me on that395737400Output is not escaped
#1953AccessibleWP – ALT Detector405514500Text Domain Mismatch
#1954ACF qTranslate40184258k+Output is not escaped
#1955ACF Theme Code for Advanced Custom Fields404784010k+Output is not escaped
#1956Subscribe Button by AddToAny409347900Output is not escaped
#1957Address Autocomplete Anything409432900Unsafe printing function
#1958Advanced Admin Search407948600Non Singular String Literal Text
#1959Advanced Custom Fields: Font Awesome Field403327090k+Text Domain Mismatch
#1960Advanced WooCommerce Product Gallery Slider4042483k+Non-prefixed global variable
#1961Advanced WPLink4067191k+Text Domain Mismatch
#1962AgreeMe Checkboxes For WooCommerce408844600Text Domain Mismatch
#1963AJAX Thumbnail Rebuild40381430k+Unsafe printing function
#1964amCharts: Charts and Maps402631132k+Text Domain Mismatch
#1965Analytics Cat – Google Analytics Made Easy4083276k+Text Domain Mismatch
#1966Animated Live Wall Gallery4027722k+Request data is not unslashed
#1967Athemes Toolbox40254583k+Text Domain Mismatch
#1968Attachment Importer4024763k+Input is not sanitized
#1969Auto Upload Images40621320k+Unsafe printing function
#1970Autocomplete LearnDash Lessons and Topics4046161k+Missing Arg Domain
#1971AutoConvert Greeklish Permalinks401161330k+Text Domain Mismatch
#1972bbPress WP Tweaks40147181k+Output is not escaped
#1973Better Internal Link Search4023481k+strip tags strip tags
#1974Black Studio TinyMCE Widget403928200k+Output is not escaped
#1975BuddyPress Profile Completion402830500Output is not escaped
#1976Bulk Add Terms407427800Text Domain Mismatch
#1977Bulk Featured Image4069117800Output is not escaped
#1978Bulk Move4085449k+Unsafe printing function
#1979Coming soon Page402418500Text Domain Mismatch
#1980Custom Cart Link for WooCommerce402416700Unsafe printing function
#1981Catalog for Woocommerce4092751k+Output is not escaped
#1982Categories Metabox Enhanced4077361k+Output is not escaped
#1983Category Featured Images Extended4017740400Text Domain Mismatch
#1984CC BMI Calculator401357800Output is not escaped
#1985CleverReach Integration for Contact Form 74010343700Text Domain Mismatch
#1986Contact form 7 TO API + Basic Auth4073301k+Non Singular String Literal Domain
#1987Contact Form 7 to Mailjet407039600Output is not escaped
#1988Cleaner Gallery404082k+Unsafe printing function
#1989Client Portal – Private user pages and login4052293k+Output is not escaped
#1990Client Portal : SuiteDash Direct Login4093171k+Text Domain Mismatch
#1991Top-Bar CodeBulls409113700Text Domain Mismatch
#1992Conditional WooCommerce Checkout Field408422400Unsafe printing function
#1993Contact Form 7 GetResponse Extension4090181k+Text Domain Mismatch
#1994Contact Form 7 Multi-Step Forms40654150k+Output is not escaped
#1995Database Addon for Contact Form 7 – CFDB7403556600k+Nonce verification recommended
#1996Corona Virus Data40279271k+Unsafe printing function
#1997Coupon Generator for WooCommerce40392810k+Unsafe printing function
#1998Crisp – Live Chat and Chatbot40242020k+Unsafe printing function
#1999Cron Logger4049361k+Output is not escaped
#2000Cryout Serious Theme Settings403325140k+Output is not escaped