WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2501 | Hotline Phone Ring | 48 | 16 | 15 | 8k+ | Output is not escaped | ||
| #2502 | MWW Disclaimer Buttons | 48 | 21 | 16 | 400 | Output is not escaped | ||
| #2503 | Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms | 48 | 34 | 14 | 800 | Non Singular String Literal Domain | ||
| #2504 | Really Simple CSV Importer | 48 | 40 | 8 | 40k+ | Output is not escaped | ||
| #2505 | Simple Regenerate Slug | 48 | 18 | 6 | 400 | Unsafe printing function | ||
| #2506 | Super Simple Google Analytics | 48 | 55 | 3 | 2k+ | Output is not escaped | ||
| #2507 | Whitelist IP For Limit Login Attempts | 48 | 18 | 12 | 500 | Output is not escaped | ||
| #2508 | WP Attachment Export | 48 | 16 | 25 | 600 | Input is not sanitized | ||
| #2509 | WP First Letter Avatar | 48 | 40 | 7 | 2k+ | Output is not escaped | ||
| #2510 | WP Google Search | 48 | 45 | 17 | 5k+ | Output is not escaped | ||
| #2511 | WP Login Form | 48 | 14 | 20 | 7k+ | Request data is not unslashed | ||
| #2512 | Advanced Custom Fields: Limiter Field | 49 | 57 | 12 | 900 | Output is not escaped | ||
| #2513 | AffiliateWP – Leaderboard | 49 | 68 | 13 | 1k+ | Output is not escaped | ||
| #2514 | CallPage – Callback Widget | 49 | 41 | 17 | 1k+ | Non Singular String Literal Domain | ||
| #2515 | Category Posts in Custom Menu | 49 | 19 | 18 | 2k+ | Output is not escaped | ||
| #2516 | Successful Redirection for Contact Form | 49 | 33 | 20 | 10k+ | Text Domain Mismatch | ||
| #2517 | CIO Custom Fields Importer | 49 | 23 | 8 | 400 | Output is not escaped | ||
| #2518 | GDPR Tools: comment ip removement | 49 | 18 | 13 | 2k+ | Unsafe printing function | ||
| #2519 | Easy Google AdSense | 49 | 19 | 12 | 5k+ | Output is not escaped | ||
| #2520 | Easy Media Download | 49 | 20 | 15 | 9k+ | Output is not escaped | ||
| #2521 | Import into Easy Property Listings | 49 | 335 | 24 | 1k+ | Text Domain Mismatch | ||
| #2522 | Web Icons | 49 | 51 | 10 | 1k+ | Output is not escaped | ||
| #2523 | Links With Icons Widget | 49 | 53 | 2 | 1k+ | Output is not escaped | ||
| #2524 | Logo Carousel Slider | 49 | 102 | 14 | 6k+ | Non Singular String Literal Domain | ||
| #2525 | Meks Simple Flickr Widget | 49 | 38 | 0 | 20k+ | Output is not escaped | ||
| #2526 | Registered Users Only | 49 | 14 | 14 | 2k+ | Unsafe printing function | ||
| #2527 | Scroll Back To Top Button | 49 | 73 | 1 | 3k+ | Missing Arg Domain | ||
| #2528 | Simple Post Expiration | 49 | 47 | 10 | 400 | Text Domain Mismatch | ||
| #2529 | Stop Pinging Yourself | 49 | 47 | 8 | 600 | Non Singular String Literal Domain | ||
| #2530 | Users by Date Registered | 49 | 13 | 20 | 1k+ | Nonce verification recommended | ||
| #2531 | Video Background | 49 | 35 | 26 | 9k+ | Unsafe printing function | ||
| #2532 | WooBuilder | 49 | 20 | 17 | 700 | Output is not escaped | ||
| #2533 | Advanced Custom Fields – Taxonomy Field add-on | 50 | 57 | 4 | 1k+ | Non Singular String Literal Domain | ||
| #2534 | Bangla Fonts Collection | 50 | 47 | 3 | 400 | Text Domain Mismatch | ||
| #2535 | Dashboard To-Do List | 50 | 21 | 8 | 1k+ | Unsafe printing function | ||
| #2536 | Simple User Listing | 50 | 27 | 56 | 900 | Non-prefixed global variable | ||
| #2537 | Ultimate WooCommerce Brands | 50 | 87 | 12 | 400 | Text Domain Mismatch | ||
| #2538 | WP Hide Show Featured Image | 50 | 36 | 5 | 4k+ | Unsafe printing function | ||
| #2539 | WP SVG Images | 50 | 58 | 12 | 30k+ | Text Domain Mismatch | ||
| #2540 | ACF: User Role Selector | 51 | 41 | 2 | 600 | Output is not escaped | ||
| #2541 | Address Geocoder | 51 | 12 | 18 | 500 | Output is not escaped | ||
| #2542 | Adjust Admin Categories | 51 | 30 | 12 | 10k+ | Output is not escaped | ||
| #2543 | Booqable Rental Plugin | 51 | 81 | 18 | 1k+ | wp function not compatible with requires wp | ||
| #2544 | Bootstrap Modals | 51 | 43 | 8 | 1k+ | Output is not escaped | ||
| #2545 | Dolyame Payment gateway | 51 | 122 | 10 | 700 | Text Domain Mismatch | ||
| #2546 | GamiPress – Reset User | 51 | 14 | 27 | 400 | Interpolated SQL is not prepared | ||
| #2547 | Gravity Forms No CAPTCHA reCAPTCHA | 51 | 30 | 17 | 10k+ | Text Domain Mismatch | ||
| #2548 | Hide Admin Bar | 51 | 35 | 17 | 20k+ | Unsafe printing function | ||
| #2549 | KIA Subtitle | 51 | 21 | 19 | 7k+ | Non-prefixed global variable | ||
| #2550 | Simple Cookie Notification Bar | 51 | 49 | 6 | 1k+ | Text Domain Mismatch |