WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2401 | Post title marquee scroll | 43 | 43 | 25 | 1k+ | Output is not escaped | ||
| #2402 | Pro Categories Widget | 43 | 59 | 9 | 800 | Output is not escaped | ||
| #2403 | Purchase Orders for WooCommerce | 43 | 117 | 74 | 1k+ | Text Domain Mismatch | ||
| #2404 | reCAPTCHA for MW WP Form | 43 | 37 | 14 | 30k+ | Non Singular String Literal Domain | ||
| #2405 | Rut Chileno con Validación para WooCommerce | 43 | 35 | 16 | 1k+ | Text Domain Mismatch | ||
| #2406 | SEO Backlink Monitor | 43 | 86 | 105 | 700 | Output is not escaped | ||
| #2407 | ShinyStat Analytics | 43 | 65 | 8 | 1k+ | Output is not escaped | ||
| #2408 | Simple Revisions Delete | 43 | 16 | 26 | 10k+ | Output is not escaped | ||
| #2409 | Simple Side Tab | 43 | 28 | 17 | 10k+ | Unsafe printing function | ||
| #2410 | Terms Order WP – Categories And Taxonomies Order Plugin | 43 | 12 | 47 | 900 | Non-prefixed global variable | ||
| #2411 | User role based shipping methods | 43 | 53 | 7 | 400 | Output is not escaped | ||
| #2412 | User Session Control | 43 | 31 | 21 | 700 | Output is not escaped | ||
| #2413 | Sovrn | 43 | 9 | 29 | 1k+ | Input is not sanitized | ||
| #2414 | WIP Custom Login | 43 | 21 | 37 | 700 | Nonce verification recommended | ||
| #2415 | WP Hotel Booking Stripe Payment | 43 | 34 | 29 | 400 | Text Domain Mismatch | ||
| #2416 | WP Post Expires | 43 | 21 | 15 | 2k+ | Output is not escaped | ||
| #2417 | WP SmartCrop | 43 | 43 | 12 | 4k+ | Output is not escaped | ||
| #2418 | Advanced Custom Fields: oEmbed Field | 44 | 36 | 13 | 900 | Text Domain Mismatch | ||
| #2419 | BBQ Firewall – Fast & Powerful Firewall Security | 44 | 17 | 17 | 100k+ | Output is not escaped | ||
| #2420 | Button visually impaired | 44 | 145 | 5 | 10k+ | Text Domain Mismatch | ||
| #2421 | Code Widget | 44 | 60 | 33 | 4k+ | Text Domain Mismatch | ||
| #2422 | Comment Image | 44 | 19 | 23 | 1k+ | Output is not escaped | ||
| #2423 | Cookie Bar | 44 | 29 | 3 | 10k+ | Unsafe printing function | ||
| #2424 | Currency Converter Widget | 44 | 37 | 6 | 3k+ | Unsafe printing function | ||
| #2425 | Debug Bar Console | 44 | 23 | 9 | 1k+ | Missing Arg Domain | ||
| #2426 | Easy!Appointments | 44 | 47 | 6 | 600 | Unsafe printing function | ||
| #2427 | Image Widget | 44 | 48 | 5 | 3k+ | Output is not escaped | ||
| #2428 | LearnPress – BuddyPress Integration | 44 | 27 | 25 | 1k+ | Output is not escaped | ||
| #2429 | LIQUID SPEECH BALLOON | 44 | 34 | 30 | 10k+ | Output is not escaped | ||
| #2430 | Minimum Order Amount for Woocommerce | 44 | 50 | 16 | 2k+ | Text Domain Mismatch | ||
| #2431 | Narrative Publisher | 44 | 28 | 37 | 1k+ | Text Domain Mismatch | ||
| #2432 | QR Code Woocommerce | 44 | 37 | 36 | 1k+ | Output is not escaped | ||
| #2433 | Setmore Appointments | 44 | 45 | 13 | 4k+ | Output is not escaped | ||
| #2434 | Simple Full Screen Background Image | 44 | 23 | 13 | 10k+ | Output is not escaped | ||
| #2435 | Simple Image Widget | 44 | 26 | 19 | 10k+ | Unsafe printing function | ||
| #2436 | Simple Matomo Tracking Code | 44 | 23 | 6 | 1k+ | Unsafe printing function | ||
| #2437 | ReCaptcha v2 for Contact Form 7 | 44 | 12 | 30 | 200k+ | Nonce verification recommended | ||
| #2438 | WPKoi Templates for Elementor | 44 | 937 | 25 | 5k+ | Text Domain Mismatch | ||
| #2439 | Advanced Custom Fields – Contact Form 7 Field | 45 | 59 | 8 | 2k+ | Output is not escaped | ||
| #2440 | Contact Details | 45 | 43 | 29 | 1k+ | Non Singular String Literal Text | ||
| #2441 | Custom Error Pages | 45 | 51 | 16 | 600 | Output is not escaped | ||
| #2442 | Easy HTML Sitemap | 45 | 75 | 8 | 600 | Text Domain Mismatch | ||
| #2443 | Format Media Titles | 45 | 33 | 4 | 5k+ | Unsafe printing function | ||
| #2444 | Icons Font Loader – Load Web Fonts and Icon Libraries | 45 | 47 | 33 | 2k+ | Text Domain Mismatch | ||
| #2445 | Inazo's flamingo automatically delete old messages | 45 | 33 | 20 | 4k+ | Output is not escaped | ||
| #2446 | Outdooractive Embed | 45 | 70 | 18 | 400 | Text Domain Mismatch | ||
| #2447 | Post Date Randomizer | 45 | 42 | 6 | 9k+ | Unsafe printing function | ||
| #2448 | ShayanWeb Admin FontChanger | افزونهی تغییر فونت پیشخوان وردپرس شایان وب | 45 | 42 | 8 | 1k+ | Output is not escaped | ||
| #2449 | Simple Login Notification | 45 | 13 | 22 | 2k+ | Request data is not unslashed | ||
| #2450 | Specify Missing Image Dimensions | 45 | 21 | 12 | 1k+ | Unsafe printing function |