WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2301 | Confetti | 42 | 136 | 17 | 3k+ | Unsafe printing function | ||
| #2302 | CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance) | 42 | 33 | 49 | 3k+ | Output is not escaped | ||
| #2303 | Custom Fields for Gutenberg | 42 | 24 | 24 | 1k+ | Output is not escaped | ||
| #2304 | Simpliest Social Share | 42 | 37 | 22 | 600 | Unsafe printing function | ||
| #2305 | Dashboard Notes | 42 | 27 | 34 | 600 | Missing Arg Domain | ||
| #2306 | Dashboard Sticky Notes | 42 | 20 | 17 | 2k+ | Missing nonce verification | ||
| #2307 | Delete Expired Transients | 42 | 49 | 65 | 5k+ | Direct Query | ||
| #2308 | Disable Comments | 42 | 44 | 19 | 100k+ | Unsafe printing function | ||
| #2309 | Disable Recaptcha – CF7 | 42 | 73 | 5 | 2k+ | Output is not escaped | ||
| #2310 | Disable User Login | 42 | 25 | 19 | 5k+ | Unsafe printing function | ||
| #2311 | Display Categories Widget | 42 | 90 | 4 | 3k+ | Output is not escaped | ||
| #2312 | Simple HTML Sitemap | 42 | 42 | 20 | 1k+ | Text Domain Mismatch | ||
| #2313 | Easy Video Player | 42 | 20 | 20 | 20k+ | Output is not escaped | ||
| #2314 | Enable Classic Editor & Widgets | 42 | 106 | 6 | 2k+ | Non Singular String Literal Domain | ||
| #2315 | Etsy Shop | 42 | 58 | 21 | 3k+ | Unsafe printing function | ||
| #2316 | Exclude Pages | 42 | 31 | 14 | 20k+ | Non Singular String Literal Domain | ||
| #2317 | Exit Popup | 42 | 51 | 5 | 1k+ | Output is not escaped | ||
| #2318 | First payment date for WooCommerce Subscriptions | 42 | 42 | 19 | 400 | Output is not escaped | ||
| #2319 | Flamix: Bitrix24 and Contact Form 7 integrations | 42 | 79 | 4 | 1k+ | Output is not escaped | ||
| #2320 | FooTable | 42 | 86 | 7 | 1k+ | Output is not escaped | ||
| #2321 | Lock Down Admin | 42 | 30 | 20 | 3k+ | Unsafe printing function | ||
| #2322 | Fusion Page Builder : Extension – Gallery | 42 | 29 | 30 | 600 | Output is not escaped | ||
| #2323 | Goolytics – Simple Google Analytics | 42 | 37 | 5 | 3k+ | Unsafe printing function | ||
| #2324 | Hide Featured Image | 42 | 26 | 12 | 10k+ | Unsafe printing function | ||
| #2325 | Image Uploader for Welcart | 42 | 27 | 24 | 3k+ | Output is not escaped | ||
| #2326 | WP All Import – Import SEO Settings for Rank Math SEO | 42 | 18 | 44 | 7k+ | Nonce verification recommended | ||
| #2327 | iOS images fixer | 42 | 22 | 42 | 6k+ | Nonce verification recommended | ||
| #2328 | iyzico for WooCommerce | 42 | 34 | 54 | 10k+ | Unsafe printing function | ||
| #2329 | Lazy Social Comments | 42 | 73 | 10 | 1k+ | Unsafe printing function | ||
| #2330 | LH Page Links To | 42 | 25 | 38 | 500 | Output is not escaped | ||
| #2331 | Lightweight Social Icons | 42 | 59 | 1 | 30k+ | Output is not escaped | ||
| #2332 | LIQUID BLOCKS – Slider, Carousel, Accordion | 42 | 50 | 31 | 4k+ | Unsafe printing function | ||
| #2333 | List Custom Taxonomy Widget | 42 | 52 | 5 | 9k+ | Output is not escaped | ||
| #2334 | Login No Captcha reCAPTCHA | 42 | 45 | 24 | 60k+ | Unsafe printing function | ||
| #2335 | Mass Delete Unused Tags | 42 | 21 | 9 | 800 | Output is not escaped | ||
| #2336 | My Upload Images | 42 | 74 | 48 | 400 | Unsafe printing function | ||
| #2337 | Nav Menu Collapse | 42 | 17 | 39 | 3k+ | Missing nonce verification | ||
| #2338 | NS Remove Related Products for WooCommerce | 42 | 95 | 43 | 3k+ | Output is not escaped | ||
| #2339 | OG Tags | 42 | 131 | 34 | 2k+ | Non Singular String Literal Domain | ||
| #2340 | PageMenu | 42 | 16 | 29 | 1k+ | Missing nonce verification | ||
| #2341 | PDF Thumbnail Generator | 42 | 26 | 16 | 2k+ | Output is not escaped | ||
| #2342 | PE Easy Slider | 42 | 190 | 10 | 800 | Output is not escaped | ||
| #2343 | Photo Galleria | 42 | 78 | 5 | 800 | Missing Arg Domain | ||
| #2344 | Polylang Theme Strings | 42 | 119 | 30 | 6k+ | Output is not escaped | ||
| #2345 | Posts Like Dislike | 42 | 157 | 39 | 5k+ | Non Singular String Literal Domain | ||
| #2346 | Recent Posts Widget Plus | 42 | 68 | 3 | 500 | Output is not escaped | ||
| #2347 | WP Required Taxonomies – Categories and Tags Mandatory | 42 | 43 | 36 | 1k+ | Non-prefixed global variable | ||
| #2348 | Responsive Mortgage Calculator | 42 | 38 | 28 | 7k+ | Output is not escaped | ||
| #2349 | RSS Just Better | 42 | 136 | 2 | 400 | Output is not escaped | ||
| #2350 | SALERT – Fake Sales Notification WooCommerce | 42 | 41 | 67 | 8k+ | Non-prefixed global variable |