WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2551Simple Cookie Notification Bar514961k+Text Domain Mismatch
#2552The Cache Purger5116161k+Non Singular String Literal Text
#2553The Paste51191110k+Unsafe printing function
#2554Toolbar Publish Button513745k+Unsafe printing function
#2555Visual Sitemap51236400Output is not escaped
#2556REST API Log5144955k+Non-prefixed hook name
#2557Affiliate Area Shortcodes by AffiliateWP5256162k+Text Domain Mismatch
#2558Bloglovin Button52331800Output is not escaped
#2559Firelight Lightbox527897200k+Non-prefixed global variable
#2560Easy WP Page Navigation52608800Non Singular String Literal Domain
#2561Formstack Online Forms5239201k+Output is not escaped
#2562Meta Generator and Version Info Remover52202810k+Non-prefixed function
#2563Plugins Load Order523216500Non Singular String Literal Domain
#2564Product Bundles – Variation Bundles522313600Output is not escaped
#2565Remove Uppercase Accents524128k+Unsafe printing function
#2566Stealth Publish52722900Missing nonce verification
#2567Custom Post Template By Templatic521914600Text Domain Mismatch
#2568Add to Cart Custom Redirect for WooCommerce5233132k+Text Domain Mismatch
#2569WP Eventbrite Embedded Checkout52497700Text Domain Mismatch
#2570Bg RuTube Embed5319211k+Unsafe printing function
#2571Bulk Actions Select All532622800Text Domain Mismatch
#2572Column Shortcodes5332960k+Unsafe printing function
#2573Export Custom Pages532219700Output is not escaped
#2574Focus Videos53369400Text Domain Mismatch
#2575International Telephone Input for Contact Form 75318108k+Missing direct file access protection
#2576LearnPress – bbPress Integration5319142k+Output is not escaped
#2577Multiple external product URLs for WooCommerce532817400Text Domain Mismatch
#2578Pure Metafields53513010k+Non-prefixed global variable
#2579RDFa Breadcrumb532713600Output is not escaped
#2580Send Email From Admin532713700Text Domain Mismatch
#2581SoundPress Plugin534431k+Output is not escaped
#2582Widget Context53142040k+Non-prefixed hook name
#2583WP Login Logo53289500Unsafe printing function
#2584Peadig's Twitter Feed: Embedded Timeline WordPress Plugin53376500Output is not escaped
#2585Analytics Head54347600Output is not escaped
#2586Better Menu Widget54321600Output is not escaped
#2587CSV Importer5424113k+Missing direct file access protection
#2588Custom Category Templates5411113k+Unsafe printing function
#2589Disable Media Sizes5414710k+Output is not escaped
#2590FireCask Like & Share Button54326400Output is not escaped
#2591Flexible Spacer Block5434154k+Unsafe printing function
#2592Gravity Forms + Custom Post Types5444710k+Output is not escaped
#2593ImageMagick Sharpen Resized Images542261k+Output is not escaped
#2594PWA — easy way to Progressive Web App5415442k+Dynamic hook name
#2595Post Editor Buttons Fork54243800Unsafe printing function
#2596Responsive Like Box, Like Box Widget544341k+Output is not escaped
#2597EMI Calculator542812700Output is not escaped
#2598Simple XML Sitemap Generator548283k+Non-prefixed function
#2599SmartFormat feed for SmartNews5464271k+Missing Arg Domain
#2600Sp*tify Play Button for WordPress5421153k+Text Domain Mismatch