WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2351 | Sendcloud Shipping | 42 | 78 | 56 | 5k+ | Output is not escaped | ||
| #2352 | Set All First Images As Featured | 42 | 44 | 13 | 700 | Text Domain Mismatch | ||
| #2353 | Simple Download Counter | 42 | 58 | 46 | 2k+ | Output is not escaped | ||
| #2354 | Simple Meta Tags | 42 | 28 | 13 | 700 | Output is not escaped | ||
| #2355 | Simple Sticky Footer | 42 | 57 | 16 | 600 | Missing Arg Domain | ||
| #2356 | SMTP Mailer | 42 | 51 | 49 | 70k+ | Unsafe printing function | ||
| #2357 | Squelch Tabs and Accordions Shortcodes | 42 | 57 | 51 | 1k+ | Unsafe printing function | ||
| #2358 | Staffer | 42 | 88 | 42 | 600 | Output is not escaped | ||
| #2359 | SuperSaaS – online appointment scheduling | 42 | 79 | 10 | 1k+ | Text Domain Mismatch | ||
| #2360 | ThemeZee Widget Bundle | 42 | 211 | 58 | 5k+ | Output is not escaped | ||
| #2361 | Ultimate Category Excluder | 42 | 22 | 26 | 50k+ | Missing nonce verification | ||
| #2362 | UniConsent Cookie Consent CMP – Consent Manager | 42 | 148 | 18 | 1k+ | Unsafe printing function | ||
| #2363 | Vertical marquee post title | 42 | 109 | 68 | 400 | Output is not escaped | ||
| #2364 | WebPlanex: GST Invoice India | 42 | 63 | 63 | 400 | Text Domain Mismatch | ||
| #2365 | Widget Contact Now | 42 | 69 | 6 | 500 | Output is not escaped | ||
| #2366 | List Products By Category Widget for WooCommerce | 42 | 84 | 5 | 1k+ | Output is not escaped | ||
| #2367 | TT Extra Fee Option for WooCommerce | 42 | 37 | 19 | 1k+ | Output is not escaped | ||
| #2368 | Dynamic Remarketing for Google Ads and WooCommerce | 42 | 32 | 15 | 2k+ | Output is not escaped | ||
| #2369 | WP Child Theme Generator | 42 | 35 | 66 | 20k+ | Request data is not unslashed | ||
| #2370 | WP Cron Cleaner | 42 | 51 | 38 | 500 | Unsafe printing function | ||
| #2371 | WP Post Redirect | 42 | 29 | 17 | 3k+ | Unsafe printing function | ||
| #2372 | WP QuickLaTeX | 42 | 41 | 60 | 4k+ | Non-prefixed global variable | ||
| #2373 | WP Responsive Table | 42 | 42 | 10 | 6k+ | Output is not escaped | ||
| #2374 | Advanced All in One Admin Search by WP Spotlight | 42 | 25 | 25 | 900 | Missing Version | ||
| #2375 | WP Widget Clipboard – Duplicate widgets intuitively | 42 | 51 | 19 | 800 | Output is not escaped | ||
| #2376 | WPB Custom Tab Manager for WooCommerce – Add, Edit & Reorder Tabs | 42 | 95 | 32 | 500 | Output is not escaped | ||
| #2377 | WPFomo | 42 | 45 | 9 | 600 | Output is not escaped | ||
| #2378 | WPTerm | 42 | 61 | 89 | 3k+ | Output is not escaped | ||
| #2379 | Yandex.Metrika | 42 | 15 | 20 | 900 | Unsafe printing function | ||
| #2380 | Admin Menu Tree Page View | 43 | 17 | 69 | 10k+ | Nonce verification recommended | ||
| #2381 | Advanced TinyMCE Configuration | 43 | 99 | 8 | 10k+ | Text Domain Mismatch | ||
| #2382 | AdWords Conversion Tracking Code | 43 | 26 | 25 | 1k+ | Non Singular String Literal Domain | ||
| #2383 | Anonymous Restricted Content | 43 | 22 | 24 | 1k+ | Unsafe printing function | ||
| #2384 | Category Editor | 43 | 54 | 18 | 8k+ | Unsafe printing function | ||
| #2385 | Click to Call or Chat Buttons | 43 | 47 | 6 | 1k+ | Output is not escaped | ||
| #2386 | Simple Mortgage Calculator | 43 | 67 | 3 | 1k+ | Text Domain Mismatch | ||
| #2387 | Custom Menu | 43 | 83 | 11 | 400 | wp function not compatible with requires wp | ||
| #2388 | Customize Login Image | 43 | 32 | 9 | 3k+ | Unsafe printing function | ||
| #2389 | Database Addon For WPForms ( wpforms entries ) – WPFormsDB | 43 | 17 | 53 | 20k+ | Nonce verification recommended | ||
| #2390 | Disable Gutenberg | 43 | 23 | 47 | 500k+ | Nonce verification recommended | ||
| #2391 | Easy PayPal Shopping Cart | 43 | 19 | 40 | 1k+ | Input is not sanitized | ||
| #2392 | Email Notification on Login | 43 | 33 | 7 | 1k+ | Unsafe printing function | ||
| #2393 | F4 Total Stock Value for WooCommerce | 43 | 27 | 12 | 1k+ | Output is not escaped | ||
| #2394 | Event Tracking for Gravity Forms | 43 | 34 | 25 | 20k+ | rand mt rand | ||
| #2395 | jQuery UI Widgets | 43 | 131 | 5 | 1k+ | Unsafe printing function | ||
| #2396 | Linker – URL shortener & track outbound link clicks | 43 | 17 | 17 | 2k+ | Output is not escaped | ||
| #2397 | Lightbox | 43 | 29 | 10 | 700 | Unsafe printing function | ||
| #2398 | Page Transition | 43 | 39 | 30 | 700 | Output is not escaped | ||
| #2399 | PE Panels | 43 | 181 | 4 | 500 | Output is not escaped | ||
| #2400 | Post Carousel Slider for Elementor | 43 | 133 | 23 | 3k+ | Text Domain Mismatch |