WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2601Post Badges541913400Output is not escaped
#2602WC Duplicate Order541215500Nonce verification recommended
#2603WP Call Button – Easy Click to Call Button for WordPress54213840k+Non-prefixed global variable
#2604WP Login Timeout Settings54277600Output is not escaped
#2605WP Resized Image Quality54199800Output is not escaped
#2606WP Social Preview543315800Non Singular String Literal Domain
#2607Ascending Posts by Fly Plugins552313500Text Domain Mismatch
#2608Auto Image Alt Attribute552676k+Unsafe printing function
#2609Clean Archives Reloaded55256600Unsafe printing function
#2610Custom Upload Dir556375k+Missing Arg Domain
#2611Genesis Columns Advanced5526410k+Unsafe printing function
#2612Login or Logout Menu Item5513720k+Unsafe printing function
#2613Page Tagger5530102k+Output is not escaped
#2614Quick Bulk Post & Page Creator554312k+Text Domain Mismatch
#2615Quick Bulk Term Taxonomy Creator55372400Text Domain Mismatch
#2616Refer A Friend for WooCommerce by WPGens5577211k+Text Domain Mismatch
#2617Rescue Shortcodes555421k+Unsafe printing function
#2618Semrush Content Toolkit5522242k+Non-prefixed global variable
#2619SM Vertical Menu55451400Output is not escaped
#2620Free customer chat solution551810500Output is not escaped
#2621Image Widget by Angie Makes55483500Output is not escaped
#2622All in One SEO Pack Importer561725500Direct Query
#2623BotPenguin – Generative AI Chatbot with Live Chat & ChatGPT56127600Unsafe printing function
#2624BuddyCommerce: WooCommerce and BuddyPress Integration562919800Output is not escaped
#2625Easy Digital Downloads Featured Downloads5615151k+Output is not escaped
#2626FV Top Level Categories56241620k+Text Domain Mismatch
#2627Kwayy HTML Sitemap5613196k+Missing nonce verification
#2628Quick Flickr Widget56372400Output is not escaped
#2629Require Featured Image562063k+Output is not escaped
#2630ThemeinWP Import Companion5617144k+Unsafe printing function
#2631USERCENTRICS CMP5644111k+Non Singular String Literal Domain
#2632Video Dashboard56331600Output is not escaped
#2633Cresta Social Share Counter5712132k+Output is not escaped
#2634Delete Pending Comments57161110k+Unsafe printing function
#2635Disable Cart Fragments by Optimocha5781310k+Nonce verification recommended
#2636Live Chat by Formilla – Real-time Chat & Chatbots Plugin5722132k+Missing Arg Domain
#2637JSON API User5717341k+Non-prefixed hook name
#2638Public Post Preview57811100k+Nonce verification recommended
#2639Simple CSS57221380k+Missing Version
#2640Site Health Tool Manager571351k+Unsafe printing function
#2641Timologia for WooCommerce5775223k+Text Domain Mismatch
#2642tinyWYM Editor575531k+Text Domain Mismatch
#2643WP Old Post Date Remover572572k+Unsafe printing function
#2644WP Admin Category Search5823112k+Unsafe printing function
#2645Admin Page Notes581715700Text Domain Mismatch
#2646Basic User Avatars5817720k+Output is not escaped
#2647Contact Form DB for Enfold582114700Output is not escaped
#2648Custom Meta Widget585527k+Output is not escaped
#2649Customization for WP SEO5815102k+Unsafe printing function
#2650E-namad & Shamed Logo Manager582622k+Output is not escaped