WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2001 | Cryptocurrency Widgets Pack | 40 | 222 | 52 | 700 | Unsafe printing function | ||
| #2002 | Dashboard Welcome for Beaver Builder | 40 | 38 | 24 | 2k+ | Output is not escaped | ||
| #2003 | Duplicate Page | 40 | 39 | 43 | 3m+ | Unsafe printing function | ||
| #2004 | Easy Document Embedder – Embed Word, excel, Powerpoint, Pdf file and more.. | 40 | 55 | 27 | 500 | Output is not escaped | ||
| #2005 | Easy Image Collage | 40 | 96 | 18 | 4k+ | Unsafe printing function | ||
| #2006 | Easy Textillate | 40 | 63 | 12 | 1k+ | Unsafe printing function | ||
| #2007 | Contact Form 7 styler for Elementor Page Builder | 40 | 126 | 10 | 900 | Unsafe printing function | ||
| #2008 | Enhanced Custom Permalinks | 40 | 51 | 82 | 1k+ | Nonce verification recommended | ||
| #2009 | Eventer | 40 | 61 | 55 | 1k+ | Output is not escaped | ||
| #2010 | Expiring Posts | 40 | 52 | 20 | 900 | Missing Arg Domain | ||
| #2011 | Export Post Info | 40 | 66 | 3 | 1k+ | Unsafe printing function | ||
| #2012 | Fan Page Widget by ThemeNcode | 40 | 108 | 3 | 1k+ | Output is not escaped | ||
| #2013 | FluentComments – Spam protection, AntiSpam, Ajax Enhanced Comments | 40 | 50 | 47 | 700 | Non-prefixed global variable | ||
| #2014 | Full Background Manager | 40 | 37 | 24 | 7k+ | Output is not escaped | ||
| #2015 | Analytics Germanized for Google Analytics (GDPR / DSGVO) | 40 | 49 | 14 | 7k+ | Output is not escaped | ||
| #2016 | Osom Author Pro | 40 | 83 | 22 | 1k+ | Output is not escaped | ||
| #2017 | Product Enquiry for WooCommerce | 40 | 57 | 41 | 3k+ | Output is not escaped | ||
| #2018 | Gravity Forms Data Persistence Add-On Reloaded | 40 | 14 | 38 | 700 | Input is not sanitized | ||
| #2019 | Header Footer Custom Html | 40 | 95 | 22 | 1k+ | Unsafe printing function | ||
| #2020 | heatmap for WordPress – Realtime analytics | 40 | 94 | 15 | 1k+ | Non Singular String Literal Domain | ||
| #2021 | Hostinger Reach – AI-Powered Email Marketing for WordPress | 40 | 9 | 45 | 1m+ | Direct Query | ||
| #2022 | I Agree! Popups | 40 | 54 | 46 | 600 | Output is not escaped | ||
| #2023 | iCalendrier | 40 | 65 | 7 | 700 | Output is not escaped | ||
| #2024 | If Widget – Visibility control for Widgets | 40 | 99 | 25 | 1k+ | Unsafe printing function | ||
| #2025 | IFrame Widget | 40 | 87 | 1 | 500 | Output is not escaped | ||
| #2026 | iNext Woo Pincode Checker | 40 | 36 | 82 | 700 | Missing nonce verification | ||
| #2027 | Quotes Addon for GetPaid | 40 | 191 | 21 | 700 | Text Domain Mismatch | ||
| #2028 | Links shortcode | 40 | 73 | 13 | 900 | Unsafe printing function | ||
| #2029 | WP All Import – Listings Import for Listify | 40 | 34 | 27 | 400 | Output is not escaped | ||
| #2030 | WPO365 | Mail Integration for Office 365 / Outlook | 40 | 59 | 27 | 2k+ | Output is not escaped | ||
| #2031 | MailerSend – Official SMTP Integration | 40 | 39 | 25 | 2k+ | Unsafe printing function | ||
| #2032 | Manual Image Crop | 40 | 178 | 61 | 8k+ | Output is not escaped | ||
| #2033 | Mark New Posts | 40 | 61 | 39 | 500 | Non Singular String Literal Domain | ||
| #2034 | MAS Company Reviews For WP Job Manager | 40 | 44 | 71 | 1k+ | Output is not escaped | ||
| #2035 | Mass Email To Users | 40 | 84 | 81 | 800 | Output is not escaped | ||
| #2036 | WP Mobile Redirect | 40 | 44 | 20 | 400 | Text Domain Mismatch | ||
| #2037 | Monkeyman Rewrite Analyzer | 40 | 89 | 10 | 2k+ | Non Singular String Literal Domain | ||
| #2038 | No-Bot Registration | 40 | 112 | 42 | 2k+ | Unsafe printing function | ||
| #2039 | No CAPTCHA reCAPTCHA | 40 | 112 | 26 | 4k+ | Text Domain Mismatch | ||
| #2040 | One Click SSL | 40 | 136 | 62 | 10k+ | Unsafe printing function | ||
| #2041 | OPML Importer | 40 | 35 | 13 | 3k+ | Output is not escaped | ||
| #2042 | Owl Carousel WP | 40 | 62 | 19 | 1k+ | Output is not escaped | ||
| #2043 | Page Comments Off Please | 40 | 17 | 29 | 1k+ | Nonce verification recommended | ||
| #2044 | Donations via PayPal | 40 | 143 | 17 | 20k+ | Output is not escaped | ||
| #2045 | Give – Paystack Gateway | 40 | 96 | 10 | 1k+ | Text Domain Mismatch | ||
| #2046 | Paystack MemberPress | 40 | 71 | 76 | 400 | Output is not escaped | ||
| #2047 | PE Recent Posts | 40 | 292 | 11 | 2k+ | Output is not escaped | ||
| #2048 | Permalink Editor | 40 | 50 | 28 | 1k+ | Output is not escaped | ||
| #2049 | List Petfinder Pets | 40 | 121 | 46 | 400 | Output is not escaped | ||
| #2050 | Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels | 40 | 69 | 228 | 3k+ | Missing nonce verification |