WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #201 | AR for WordPress | 23 | 151 | 499 | 400 | Non-prefixed global variable | ||
| #202 | Autoptimize | 23 | 288 | 191 | 800k+ | Output is not escaped | ||
| #203 | Shortcodes and extra features for Phlox theme | 23 | 412 | 424 | 90k+ | Output is not escaped | ||
| #204 | BA Book Everything | 23 | 1,184 | 1,086 | 10k+ | Output is not escaped | ||
| #205 | Beds24 Online Booking | 23 | 532 | 374 | 2k+ | wp function not compatible with requires wp | ||
| #206 | Kadence Security – Password, Two Factor Authentication, and Brute Force Protection | 23 | 1,053 | 967 | 700k+ | Missing Translators Comment | ||
| #207 | BlossomThemes Email Newsletter | 23 | 337 | 239 | 20k+ | Output is not escaped | ||
| #208 | Booking calendar, Appointment Booking System | 23 | 1,079 | 1,125 | 3k+ | Output is not escaped | ||
| #209 | BSK PDF Manager | 23 | 1,576 | 625 | 7k+ | Text Domain Mismatch | ||
| #210 | BuddyDrive | 23 | 722 | 1,597 | 1k+ | Non-prefixed global variable | ||
| #211 | Builderall for WordPress | 23 | 4,782 | 1,308 | 1k+ | Text Domain Mismatch | ||
| #212 | Announcement & Notification Banner – Bulletin | 23 | 930 | 1,576 | 2k+ | Non-prefixed global variable | ||
| #213 | Burger Companion | 23 | 3,274 | 472 | 10k+ | Text Domain Mismatch | ||
| #214 | Cart Notices for WooCommerce | 23 | 639 | 474 | 2k+ | Text Domain Mismatch | ||
| #215 | Products Suggestions for WooCommerce | 23 | 707 | 505 | 700 | Output is not escaped | ||
| #216 | Classified Listing – AI-Powered Classified ads & Business Directory | 23 | 155 | 2,074 | 9k+ | Non-prefixed global variable | ||
| #217 | Content Aware Sidebars – Fastest Widget Area Plugin | 23 | 993 | 1,738 | 30k+ | Non-prefixed global variable | ||
| #218 | Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor) | 23 | 306 | 587 | 100k+ | Dynamic hook name | ||
| #219 | Free Theme Builder for Elementor – CRT Addons (Header, Footer, Archive, WooCommerce & 50+ Widgets) | 23 | 791 | 2,331 | 400 | Non-prefixed global variable | ||
| #220 | Currency Exchange for WooCommerce | 23 | 692 | 505 | 500 | Output is not escaped | ||
| #221 | CWW Companion | 23 | 307 | 223 | 1k+ | Output is not escaped | ||
| #222 | Auto Post Cleaner | 23 | 715 | 1,378 | 1k+ | Non-prefixed global variable | ||
| #223 | Disable Bloat for WordPress & WooCommerce | 23 | 863 | 1,325 | 10k+ | Non-prefixed global variable | ||
| #224 | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy | 23 | 3,723 | 10,283 | 40k+ | Non-prefixed namespace | ||
| #225 | Error Log Monitor | 23 | 694 | 1,414 | 20k+ | Non-prefixed global variable | ||
| #226 | EventON – Events Calendar | 23 | 2,585 | 1,021 | 6k+ | Text Domain Mismatch | ||
| #227 | Ezoic | 23 | 432 | 516 | 10k+ | Output is not escaped | ||
| #228 | Fastcache by Host.it | 23 | 1,327 | 203 | 800 | Text Domain Mismatch | ||
| #229 | Featured Images in RSS for Mailchimp & More | 23 | 780 | 1,299 | 20k+ | Non-prefixed global variable | ||
| #230 | Feed Them Social – Social Media Feeds, Video, and Photo Galleries | 23 | 563 | 535 | 20k+ | Output is not escaped | ||
| #231 | Finpose – Accounting for WooCommerce | 23 | 1,649 | 1,307 | 400 | Non-prefixed global variable | ||
| #232 | Flexmls® IDX Plugin | 23 | 1,268 | 957 | 1k+ | Output is not escaped | ||
| #233 | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | 23 | 4,746 | 1,279 | 30k+ | Non Singular String Literal Domain | ||
| #234 | Freshdesk (official) | 23 | 194 | 386 | 900 | Non-prefixed function | ||
| #235 | Front End PM | 23 | 978 | 2,264 | 5k+ | Non-prefixed global variable | ||
| #236 | Futurio Extra | 23 | 787 | 205 | 20k+ | Text Domain Mismatch | ||
| #237 | FV Flowplayer Video Player | 23 | 1,311 | 1,454 | 20k+ | Output is not escaped | ||
| #238 | GAinWP Google Analytics Integration for WordPress | 23 | 525 | 176 | 8k+ | Output is not escaped | ||
| #239 | GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress | 23 | 3,589 | 2,760 | 10k+ | Output is not escaped | ||
| #240 | The GDPR Framework By Data443 | 23 | 1,287 | 517 | 10k+ | Short PHP open tag found | ||
| #241 | Gutenberg | 23 | 605 | 327 | 300k+ | Missing direct file access protection | ||
| #242 | Interactive Content – H5P | 23 | 565 | 380 | 40k+ | Non Singular String Literal Domain | ||
| #243 | Happy Addons for Elementor | 23 | 573 | 444 | 400k+ | Output is not escaped | ||
| #244 | Hunk Companion | 23 | 2,547 | 687 | 6k+ | Text Domain Mismatch | ||
| #245 | Ibtana – Ecommerce Product Addons | 23 | 1,547 | 1,718 | 6k+ | Non Singular String Literal Domain | ||
| #246 | Payment forms, Buy now buttons, and Invoicing System | GetPaid | 23 | 389 | 1,266 | 5k+ | Non-prefixed global variable | ||
| #247 | IP Geo Block | 23 | 399 | 589 | 8k+ | Output is not escaped | ||
| #248 | Kadence Blocks — Page Builder Toolkit for Gutenberg Editor | 23 | 55 | 2,127 | 600k+ | Non-prefixed global variable | ||
| #249 | Kenta Companion | 23 | 657 | 1,419 | 2k+ | Non-prefixed global variable | ||
| #250 | Like Button Rating ♥ LikeBtn | 23 | 1,231 | 617 | 4k+ | Unsafe printing function |