WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2201 | Hide My Dates | 41 | 50 | 11 | 400 | Unsafe printing function | ||
| #2202 | Hide WP Admin Login | 41 | 23 | 39 | 500 | Nonce verification recommended | ||
| #2203 | Inpost Paczkomaty | 41 | 35 | 68 | 8k+ | Text Domain Mismatch | ||
| #2204 | Insert JavaScript and CSS | 41 | 64 | 19 | 400 | Text Domain Mismatch | ||
| #2205 | Jellyfish Counter Widget | 41 | 174 | 5 | 1k+ | Output is not escaped | ||
| #2206 | jQuery Vertical Scroller | 41 | 110 | 4 | 400 | Output is not escaped | ||
| #2207 | Ko-fi Button | 41 | 75 | 15 | 5k+ | Output is not escaped | ||
| #2208 | Lazy Load Optimizer | 41 | 63 | 26 | 3k+ | Unsafe printing function | ||
| #2209 | Lazy Load XT | 41 | 87 | 7 | 600 | Non Singular String Literal Domain | ||
| #2210 | LH Agree to Terms | 41 | 59 | 32 | 800 | Output is not escaped | ||
| #2211 | Log cleaner for Solid Security | 41 | 65 | 47 | 8k+ | Text Domain Mismatch | ||
| #2212 | Magic Liquidizer Responsive Table | 41 | 114 | 38 | 6k+ | Text Domain Mismatch | ||
| #2213 | MaxLimits – Increase Maximum Upload, Post & PHP Limits | 41 | 99 | 16 | 2k+ | Unsafe printing function | ||
| #2214 | Media Grid | 41 | 42 | 44 | 2k+ | Missing Arg Domain | ||
| #2215 | Meks Flexible Shortcodes | 41 | 133 | 1 | 10k+ | Unsafe printing function | ||
| #2216 | Mobile Contact Bar | 41 | 94 | 36 | 10k+ | Unsafe printing function | ||
| #2217 | Most Popular Categories | 41 | 67 | 2 | 600 | Output is not escaped | ||
| #2218 | MouseWheel Smooth Scroll | 41 | 104 | 7 | 100k+ | Text Domain Mismatch | ||
| #2219 | MS Custom Login | 41 | 117 | 6 | 900 | Unsafe printing function | ||
| #2220 | Multiple Domain | 41 | 42 | 17 | 10k+ | Output is not escaped | ||
| #2221 | My Favorites | 41 | 35 | 34 | 1k+ | Output is not escaped | ||
| #2222 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe printing function | ||
| #2223 | Nepali Date Utilities | 41 | 51 | 15 | 1k+ | date date | ||
| #2224 | Optimus – WordPress Image Optimizer | 41 | 52 | 20 | 30k+ | Unsafe printing function | ||
| #2225 | Page Loading Effects | 41 | 68 | 24 | 2k+ | Output is not escaped | ||
| #2226 | Page Specific Menu Items | 41 | 78 | 19 | 2k+ | Output is not escaped | ||
| #2227 | Pages In Widgets | 41 | 131 | 6 | 3k+ | Output is not escaped | ||
| #2228 | Passwordless Login | 41 | 40 | 24 | 1k+ | Output is not escaped | ||
| #2229 | Web Accessibility (formally known as Ally) – WCAG Scanning, Guided Fixes, Usability Widget | 41 | 47 | 38 | 500k+ | Output is not escaped | ||
| #2230 | Post Cloner | 41 | 25 | 15 | 1k+ | Text Domain Mismatch | ||
| #2231 | Posts Viewed Recently | 41 | 58 | 16 | 700 | Output is not escaped | ||
| #2232 | Powie's WHOIS Domain Check | 41 | 38 | 11 | 500 | Unsafe printing function | ||
| #2233 | Preload LCP Image | 41 | 110 | 31 | 4k+ | Unsafe printing function | ||
| #2234 | Prevent Landscape Rotation | 41 | 31 | 27 | 1k+ | Output is not escaped | ||
| #2235 | Product Expiry for WooCommerce | 41 | 31 | 85 | 2k+ | Request data is not unslashed | ||
| #2236 | Quick View WooCommerce | 41 | 80 | 12 | 1k+ | Output is not escaped | ||
| #2237 | Recurring PayPal Donations | 41 | 48 | 47 | 800 | Text Domain Mismatch | ||
| #2238 | Revision Control | 41 | 60 | 28 | 40k+ | Output is not escaped | ||
| #2239 | Revisionize | 41 | 54 | 24 | 4k+ | Output is not escaped | ||
| #2240 | Send link to friend | 41 | 81 | 47 | 400 | Output is not escaped | ||
| #2241 | Service Box | 41 | 150 | 230 | 400 | Missing nonce verification | ||
| #2242 | Share a Draft | 41 | 39 | 6 | 3k+ | Output is not escaped | ||
| #2243 | Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More | 41 | 43 | 61 | 100k+ | Request data is not unslashed | ||
| #2244 | Simple CPT | 41 | 280 | 60 | 4k+ | Unsafe printing function | ||
| #2245 | Simple Like Page – Fast & Privacy-Friendly Page Embeds | 41 | 145 | 31 | 10k+ | Output is not escaped | ||
| #2246 | Simple Google Photos Grid | 41 | 48 | 2 | 1k+ | Output is not escaped | ||
| #2247 | IP Ban | 41 | 29 | 39 | 2k+ | Input is not validated | ||
| #2248 | Simple Page Access Restriction | 41 | 66 | 51 | 6k+ | Unsafe printing function | ||
| #2249 | Smooth Scroll Up | 41 | 61 | 10 | 6k+ | Output is not escaped | ||
| #2250 | Smoove connector for Elementor forms | 41 | 22 | 60 | 600 | Nonce verification recommended |