WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2601 | Post Badges | 54 | 19 | 13 | 400 | Output is not escaped | ||
| #2602 | WC Duplicate Order | 54 | 12 | 15 | 500 | Nonce verification recommended | ||
| #2603 | WP Call Button – Easy Click to Call Button for WordPress | 54 | 21 | 38 | 40k+ | Non-prefixed global variable | ||
| #2604 | WP Login Timeout Settings | 54 | 27 | 7 | 600 | Output is not escaped | ||
| #2605 | WP Resized Image Quality | 54 | 19 | 9 | 800 | Output is not escaped | ||
| #2606 | WP Social Preview | 54 | 33 | 15 | 800 | Non Singular String Literal Domain | ||
| #2607 | Ascending Posts by Fly Plugins | 55 | 23 | 13 | 500 | Text Domain Mismatch | ||
| #2608 | Auto Image Alt Attribute | 55 | 26 | 7 | 6k+ | Unsafe printing function | ||
| #2609 | Clean Archives Reloaded | 55 | 25 | 6 | 600 | Unsafe printing function | ||
| #2610 | Custom Upload Dir | 55 | 63 | 7 | 5k+ | Missing Arg Domain | ||
| #2611 | Genesis Columns Advanced | 55 | 26 | 4 | 10k+ | Unsafe printing function | ||
| #2612 | Login or Logout Menu Item | 55 | 13 | 7 | 20k+ | Unsafe printing function | ||
| #2613 | Page Tagger | 55 | 30 | 10 | 2k+ | Output is not escaped | ||
| #2614 | Quick Bulk Post & Page Creator | 55 | 43 | 1 | 2k+ | Text Domain Mismatch | ||
| #2615 | Quick Bulk Term Taxonomy Creator | 55 | 37 | 2 | 400 | Text Domain Mismatch | ||
| #2616 | Refer A Friend for WooCommerce by WPGens | 55 | 77 | 21 | 1k+ | Text Domain Mismatch | ||
| #2617 | Rescue Shortcodes | 55 | 54 | 2 | 1k+ | Unsafe printing function | ||
| #2618 | Semrush Content Toolkit | 55 | 22 | 24 | 2k+ | Non-prefixed global variable | ||
| #2619 | SM Vertical Menu | 55 | 45 | 1 | 400 | Output is not escaped | ||
| #2620 | Free customer chat solution | 55 | 18 | 10 | 500 | Output is not escaped | ||
| #2621 | Image Widget by Angie Makes | 55 | 48 | 3 | 500 | Output is not escaped | ||
| #2622 | All in One SEO Pack Importer | 56 | 17 | 25 | 500 | Direct Query | ||
| #2623 | BotPenguin – Generative AI Chatbot with Live Chat & ChatGPT | 56 | 12 | 7 | 600 | Unsafe printing function | ||
| #2624 | BuddyCommerce: WooCommerce and BuddyPress Integration | 56 | 29 | 19 | 800 | Output is not escaped | ||
| #2625 | Easy Digital Downloads Featured Downloads | 56 | 15 | 15 | 1k+ | Output is not escaped | ||
| #2626 | FV Top Level Categories | 56 | 24 | 16 | 20k+ | Text Domain Mismatch | ||
| #2627 | Kwayy HTML Sitemap | 56 | 13 | 19 | 6k+ | Missing nonce verification | ||
| #2628 | Quick Flickr Widget | 56 | 37 | 2 | 400 | Output is not escaped | ||
| #2629 | Require Featured Image | 56 | 20 | 6 | 3k+ | Output is not escaped | ||
| #2630 | ThemeinWP Import Companion | 56 | 17 | 14 | 4k+ | Unsafe printing function | ||
| #2631 | USERCENTRICS CMP | 56 | 44 | 11 | 1k+ | Non Singular String Literal Domain | ||
| #2632 | Video Dashboard | 56 | 33 | 1 | 600 | Output is not escaped | ||
| #2633 | Cresta Social Share Counter | 57 | 12 | 13 | 2k+ | Output is not escaped | ||
| #2634 | Delete Pending Comments | 57 | 16 | 11 | 10k+ | Unsafe printing function | ||
| #2635 | Disable Cart Fragments by Optimocha | 57 | 8 | 13 | 10k+ | Nonce verification recommended | ||
| #2636 | Live Chat by Formilla – Real-time Chat & Chatbots Plugin | 57 | 22 | 13 | 2k+ | Missing Arg Domain | ||
| #2637 | JSON API User | 57 | 17 | 34 | 1k+ | Non-prefixed hook name | ||
| #2638 | Public Post Preview | 57 | 8 | 11 | 100k+ | Nonce verification recommended | ||
| #2639 | Simple CSS | 57 | 22 | 13 | 80k+ | Missing Version | ||
| #2640 | Site Health Tool Manager | 57 | 13 | 5 | 1k+ | Unsafe printing function | ||
| #2641 | Timologia for WooCommerce | 57 | 75 | 22 | 3k+ | Text Domain Mismatch | ||
| #2642 | tinyWYM Editor | 57 | 55 | 3 | 1k+ | Text Domain Mismatch | ||
| #2643 | WP Old Post Date Remover | 57 | 25 | 7 | 2k+ | Unsafe printing function | ||
| #2644 | WP Admin Category Search | 58 | 23 | 11 | 2k+ | Unsafe printing function | ||
| #2645 | Admin Page Notes | 58 | 17 | 15 | 700 | Text Domain Mismatch | ||
| #2646 | Basic User Avatars | 58 | 17 | 7 | 20k+ | Output is not escaped | ||
| #2647 | Contact Form DB for Enfold | 58 | 21 | 14 | 700 | Output is not escaped | ||
| #2648 | Custom Meta Widget | 58 | 55 | 2 | 7k+ | Output is not escaped | ||
| #2649 | Customization for WP SEO | 58 | 15 | 10 | 2k+ | Unsafe printing function | ||
| #2650 | E-namad & Shamed Logo Manager | 58 | 26 | 2 | 2k+ | Output is not escaped |