WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2501Hotline Phone Ring4816158k+Output is not escaped
#2502MWW Disclaimer Buttons482116400Output is not escaped
#2503Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms483414800Non Singular String Literal Domain
#2504Really Simple CSV Importer4840840k+Output is not escaped
#2505Simple Regenerate Slug48186400Unsafe printing function
#2506Super Simple Google Analytics485532k+Output is not escaped
#2507Whitelist IP For Limit Login Attempts481812500Output is not escaped
#2508WP Attachment Export481625600Input is not sanitized
#2509WP First Letter Avatar484072k+Output is not escaped
#2510WP Google Search4845175k+Output is not escaped
#2511WP Login Form4814207k+Request data is not unslashed
#2512Advanced Custom Fields: Limiter Field495712900Output is not escaped
#2513AffiliateWP – Leaderboard4968131k+Output is not escaped
#2514CallPage – Callback Widget4941171k+Non Singular String Literal Domain
#2515Category Posts in Custom Menu4919182k+Output is not escaped
#2516Successful Redirection for Contact Form49332010k+Text Domain Mismatch
#2517CIO Custom Fields Importer49238400Output is not escaped
#2518GDPR Tools: comment ip removement4918132k+Unsafe printing function
#2519Easy Google AdSense4919125k+Output is not escaped
#2520Easy Media Download4920159k+Output is not escaped
#2521Import into Easy Property Listings49335241k+Text Domain Mismatch
#2522Web Icons4951101k+Output is not escaped
#2523Links With Icons Widget495321k+Output is not escaped
#2524Logo Carousel Slider49102146k+Non Singular String Literal Domain
#2525Meks Simple Flickr Widget4938020k+Output is not escaped
#2526Registered Users Only4914142k+Unsafe printing function
#2527Scroll Back To Top Button497313k+Missing Arg Domain
#2528Simple Post Expiration494710400Text Domain Mismatch
#2529Stop Pinging Yourself49478600Non Singular String Literal Domain
#2530Users by Date Registered4913201k+Nonce verification recommended
#2531Video Background4935269k+Unsafe printing function
#2532WooBuilder492017700Output is not escaped
#2533Advanced Custom Fields – Taxonomy Field add-on505741k+Non Singular String Literal Domain
#2534Bangla Fonts Collection50473400Text Domain Mismatch
#2535Dashboard To-Do List502181k+Unsafe printing function
#2536Simple User Listing502756900Non-prefixed global variable
#2537Ultimate WooCommerce Brands508712400Text Domain Mismatch
#2538WP Hide Show Featured Image503654k+Unsafe printing function
#2539WP SVG Images50581230k+Text Domain Mismatch
#2540ACF: User Role Selector51412600Output is not escaped
#2541Address Geocoder511218500Output is not escaped
#2542Adjust Admin Categories51301210k+Output is not escaped
#2543Booqable Rental Plugin5181181k+wp function not compatible with requires wp
#2544Bootstrap Modals514381k+Output is not escaped
#2545Dolyame Payment gateway5112210700Text Domain Mismatch
#2546GamiPress – Reset User511427400Interpolated SQL is not prepared
#2547Gravity Forms No CAPTCHA reCAPTCHA51301710k+Text Domain Mismatch
#2548Hide Admin Bar51351720k+Unsafe printing function
#2549KIA Subtitle5121197k+Non-prefixed global variable
#2550Simple Cookie Notification Bar514961k+Text Domain Mismatch