WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2551 | Simple Cookie Notification Bar | 51 | 49 | 6 | 1k+ | Text Domain Mismatch | ||
| #2552 | The Cache Purger | 51 | 16 | 16 | 1k+ | Non Singular String Literal Text | ||
| #2553 | The Paste | 51 | 19 | 11 | 10k+ | Unsafe printing function | ||
| #2554 | Toolbar Publish Button | 51 | 37 | 4 | 5k+ | Unsafe printing function | ||
| #2555 | Visual Sitemap | 51 | 23 | 6 | 400 | Output is not escaped | ||
| #2556 | REST API Log | 51 | 44 | 95 | 5k+ | Non-prefixed hook name | ||
| #2557 | Affiliate Area Shortcodes by AffiliateWP | 52 | 56 | 16 | 2k+ | Text Domain Mismatch | ||
| #2558 | Bloglovin Button | 52 | 33 | 1 | 800 | Output is not escaped | ||
| #2559 | Firelight Lightbox | 52 | 78 | 97 | 200k+ | Non-prefixed global variable | ||
| #2560 | Easy WP Page Navigation | 52 | 60 | 8 | 800 | Non Singular String Literal Domain | ||
| #2561 | Formstack Online Forms | 52 | 39 | 20 | 1k+ | Output is not escaped | ||
| #2562 | Meta Generator and Version Info Remover | 52 | 20 | 28 | 10k+ | Non-prefixed function | ||
| #2563 | Plugins Load Order | 52 | 32 | 16 | 500 | Non Singular String Literal Domain | ||
| #2564 | Product Bundles – Variation Bundles | 52 | 23 | 13 | 600 | Output is not escaped | ||
| #2565 | Remove Uppercase Accents | 52 | 41 | 2 | 8k+ | Unsafe printing function | ||
| #2566 | Stealth Publish | 52 | 7 | 22 | 900 | Missing nonce verification | ||
| #2567 | Custom Post Template By Templatic | 52 | 19 | 14 | 600 | Text Domain Mismatch | ||
| #2568 | Add to Cart Custom Redirect for WooCommerce | 52 | 33 | 13 | 2k+ | Text Domain Mismatch | ||
| #2569 | WP Eventbrite Embedded Checkout | 52 | 49 | 7 | 700 | Text Domain Mismatch | ||
| #2570 | Bg RuTube Embed | 53 | 19 | 21 | 1k+ | Unsafe printing function | ||
| #2571 | Bulk Actions Select All | 53 | 26 | 22 | 800 | Text Domain Mismatch | ||
| #2572 | Column Shortcodes | 53 | 32 | 9 | 60k+ | Unsafe printing function | ||
| #2573 | Export Custom Pages | 53 | 22 | 19 | 700 | Output is not escaped | ||
| #2574 | Focus Videos | 53 | 36 | 9 | 400 | Text Domain Mismatch | ||
| #2575 | International Telephone Input for Contact Form 7 | 53 | 18 | 10 | 8k+ | Missing direct file access protection | ||
| #2576 | LearnPress – bbPress Integration | 53 | 19 | 14 | 2k+ | Output is not escaped | ||
| #2577 | Multiple external product URLs for WooCommerce | 53 | 28 | 17 | 400 | Text Domain Mismatch | ||
| #2578 | Pure Metafields | 53 | 5 | 130 | 10k+ | Non-prefixed global variable | ||
| #2579 | RDFa Breadcrumb | 53 | 27 | 13 | 600 | Output is not escaped | ||
| #2580 | Send Email From Admin | 53 | 27 | 13 | 700 | Text Domain Mismatch | ||
| #2581 | SoundPress Plugin | 53 | 44 | 3 | 1k+ | Output is not escaped | ||
| #2582 | Widget Context | 53 | 14 | 20 | 40k+ | Non-prefixed hook name | ||
| #2583 | WP Login Logo | 53 | 28 | 9 | 500 | Unsafe printing function | ||
| #2584 | Peadig's Twitter Feed: Embedded Timeline WordPress Plugin | 53 | 37 | 6 | 500 | Output is not escaped | ||
| #2585 | Analytics Head | 54 | 34 | 7 | 600 | Output is not escaped | ||
| #2586 | Better Menu Widget | 54 | 32 | 1 | 600 | Output is not escaped | ||
| #2587 | CSV Importer | 54 | 24 | 11 | 3k+ | Missing direct file access protection | ||
| #2588 | Custom Category Templates | 54 | 11 | 11 | 3k+ | Unsafe printing function | ||
| #2589 | Disable Media Sizes | 54 | 14 | 7 | 10k+ | Output is not escaped | ||
| #2590 | FireCask Like & Share Button | 54 | 32 | 6 | 400 | Output is not escaped | ||
| #2591 | Flexible Spacer Block | 54 | 34 | 15 | 4k+ | Unsafe printing function | ||
| #2592 | Gravity Forms + Custom Post Types | 54 | 44 | 7 | 10k+ | Output is not escaped | ||
| #2593 | ImageMagick Sharpen Resized Images | 54 | 22 | 6 | 1k+ | Output is not escaped | ||
| #2594 | PWA — easy way to Progressive Web App | 54 | 15 | 44 | 2k+ | Dynamic hook name | ||
| #2595 | Post Editor Buttons Fork | 54 | 24 | 3 | 800 | Unsafe printing function | ||
| #2596 | Responsive Like Box, Like Box Widget | 54 | 43 | 4 | 1k+ | Output is not escaped | ||
| #2597 | EMI Calculator | 54 | 28 | 12 | 700 | Output is not escaped | ||
| #2598 | Simple XML Sitemap Generator | 54 | 8 | 28 | 3k+ | Non-prefixed function | ||
| #2599 | SmartFormat feed for SmartNews | 54 | 64 | 27 | 1k+ | Missing Arg Domain | ||
| #2600 | Sp*tify Play Button for WordPress | 54 | 21 | 15 | 3k+ | Text Domain Mismatch |