WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1951 | YITH Custom Login | 39 | 86 | 33 | 5k+ | Output is not escaped | ||
| #1952 | You can quote me on that | 39 | 57 | 37 | 400 | Output is not escaped | ||
| #1953 | AccessibleWP – ALT Detector | 40 | 55 | 14 | 500 | Text Domain Mismatch | ||
| #1954 | ACF qTranslate | 40 | 184 | 25 | 8k+ | Output is not escaped | ||
| #1955 | ACF Theme Code for Advanced Custom Fields | 40 | 478 | 40 | 10k+ | Output is not escaped | ||
| #1956 | Subscribe Button by AddToAny | 40 | 93 | 47 | 900 | Output is not escaped | ||
| #1957 | Address Autocomplete Anything | 40 | 94 | 32 | 900 | Unsafe printing function | ||
| #1958 | Advanced Admin Search | 40 | 79 | 48 | 600 | Non Singular String Literal Text | ||
| #1959 | Advanced Custom Fields: Font Awesome Field | 40 | 332 | 70 | 90k+ | Text Domain Mismatch | ||
| #1960 | Advanced WooCommerce Product Gallery Slider | 40 | 42 | 48 | 3k+ | Non-prefixed global variable | ||
| #1961 | Advanced WPLink | 40 | 67 | 19 | 1k+ | Text Domain Mismatch | ||
| #1962 | AgreeMe Checkboxes For WooCommerce | 40 | 88 | 44 | 600 | Text Domain Mismatch | ||
| #1963 | AJAX Thumbnail Rebuild | 40 | 38 | 14 | 30k+ | Unsafe printing function | ||
| #1964 | amCharts: Charts and Maps | 40 | 263 | 113 | 2k+ | Text Domain Mismatch | ||
| #1965 | Analytics Cat – Google Analytics Made Easy | 40 | 83 | 27 | 6k+ | Text Domain Mismatch | ||
| #1966 | Animated Live Wall Gallery | 40 | 27 | 72 | 2k+ | Request data is not unslashed | ||
| #1967 | Athemes Toolbox | 40 | 254 | 58 | 3k+ | Text Domain Mismatch | ||
| #1968 | Attachment Importer | 40 | 24 | 76 | 3k+ | Input is not sanitized | ||
| #1969 | Auto Upload Images | 40 | 62 | 13 | 20k+ | Unsafe printing function | ||
| #1970 | Autocomplete LearnDash Lessons and Topics | 40 | 46 | 16 | 1k+ | Missing Arg Domain | ||
| #1971 | AutoConvert Greeklish Permalinks | 40 | 116 | 13 | 30k+ | Text Domain Mismatch | ||
| #1972 | bbPress WP Tweaks | 40 | 147 | 18 | 1k+ | Output is not escaped | ||
| #1973 | Better Internal Link Search | 40 | 23 | 48 | 1k+ | strip tags strip tags | ||
| #1974 | Black Studio TinyMCE Widget | 40 | 39 | 28 | 200k+ | Output is not escaped | ||
| #1975 | BuddyPress Profile Completion | 40 | 28 | 30 | 500 | Output is not escaped | ||
| #1976 | Bulk Add Terms | 40 | 74 | 27 | 800 | Text Domain Mismatch | ||
| #1977 | Bulk Featured Image | 40 | 69 | 117 | 800 | Output is not escaped | ||
| #1978 | Bulk Move | 40 | 85 | 44 | 9k+ | Unsafe printing function | ||
| #1979 | Coming soon Page | 40 | 24 | 18 | 500 | Text Domain Mismatch | ||
| #1980 | Custom Cart Link for WooCommerce | 40 | 24 | 16 | 700 | Unsafe printing function | ||
| #1981 | Catalog for Woocommerce | 40 | 92 | 75 | 1k+ | Output is not escaped | ||
| #1982 | Categories Metabox Enhanced | 40 | 77 | 36 | 1k+ | Output is not escaped | ||
| #1983 | Category Featured Images Extended | 40 | 177 | 40 | 400 | Text Domain Mismatch | ||
| #1984 | CC BMI Calculator | 40 | 135 | 7 | 800 | Output is not escaped | ||
| #1985 | CleverReach Integration for Contact Form 7 | 40 | 103 | 43 | 700 | Text Domain Mismatch | ||
| #1986 | Contact form 7 TO API + Basic Auth | 40 | 73 | 30 | 1k+ | Non Singular String Literal Domain | ||
| #1987 | Contact Form 7 to Mailjet | 40 | 70 | 39 | 600 | Output is not escaped | ||
| #1988 | Cleaner Gallery | 40 | 40 | 8 | 2k+ | Unsafe printing function | ||
| #1989 | Client Portal – Private user pages and login | 40 | 52 | 29 | 3k+ | Output is not escaped | ||
| #1990 | Client Portal : SuiteDash Direct Login | 40 | 93 | 17 | 1k+ | Text Domain Mismatch | ||
| #1991 | Top-Bar CodeBulls | 40 | 91 | 13 | 700 | Text Domain Mismatch | ||
| #1992 | Conditional WooCommerce Checkout Field | 40 | 84 | 22 | 400 | Unsafe printing function | ||
| #1993 | Contact Form 7 GetResponse Extension | 40 | 90 | 18 | 1k+ | Text Domain Mismatch | ||
| #1994 | Contact Form 7 Multi-Step Forms | 40 | 65 | 41 | 50k+ | Output is not escaped | ||
| #1995 | Database Addon for Contact Form 7 – CFDB7 | 40 | 35 | 56 | 600k+ | Nonce verification recommended | ||
| #1996 | Corona Virus Data | 40 | 279 | 27 | 1k+ | Unsafe printing function | ||
| #1997 | Coupon Generator for WooCommerce | 40 | 39 | 28 | 10k+ | Unsafe printing function | ||
| #1998 | Crisp – Live Chat and Chatbot | 40 | 24 | 20 | 20k+ | Unsafe printing function | ||
| #1999 | Cron Logger | 40 | 49 | 36 | 1k+ | Output is not escaped | ||
| #2000 | Cryout Serious Theme Settings | 40 | 332 | 51 | 40k+ | Output is not escaped |