WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2651Nginx Cache5812810k+Unsafe printing function
#2652PW WooCommerce BOGO58308400Unsafe printing function
#2653Remove CPT base58151610k+Input is not sanitized
#2654Ultimate Member – Online Users582543k+Output is not escaped
#2655WebP Express Plus581911700Unsafe printing function
#2656Cloak Affiliate Links for WooCommerce582862k+Non Singular String Literal Domain
#2657WP Healthcheck5837731k+Non-prefixed global variable
#2658Cresta Posts Box5910131k+Output is not escaped
#2659etracker analytics591691k+Exception output is not escaped
#2660Gettext override translations593372k+Missing Arg Domain
#2661Gravity Forms: Notification Attachments59187500Output is not escaped
#2662Gravity Forms Approvals Add-On59176800Output is not escaped
#2663Logo or Image Replace by mycore.global593012400Text Domain Mismatch
#2664Multiple Packages for WooCommerce59344600Text Domain Mismatch
#2665Post Type Select Field for Advanced Custom Fields59481900Text Domain Mismatch
#2666Resize Image After Upload59151180k+Output is not escaped
#2667Videojs HTML5 Player5912128k+Nonce verification recommended
#2668Konnect Payment Gateway for WooCommerce593916400Text Domain Mismatch
#2669WP Shortcode by MyThemeShop5932510k+Output is not escaped
#2670WPML Widgets59999k+Unsafe printing function
#2671Accesibilidad Web con el Widget de AccedeMe6022231k+Text Domain Mismatch
#2672Contact Form 7 – Phone mask field6021720k+Unsafe printing function
#2673Contact Form 7 Modules6047155k+Text Domain Mismatch
#2674Flat Rate per State/Country/Region for WooCommerce602741k+Output is not escaped
#2675GamiPress – Button60348900Text Domain Mismatch
#2676Interactive Polish Map60304500Output is not escaped
#2677Material Design for WordPress6051207800Non-prefixed global variable
#2678Simple Owl Carousel602313500Missing Translators Comment
#2679Accessibility Font Resizer61541800Text Domain Mismatch
#2680Ads.txt Manager6133164k+Text Domain Mismatch
#2681In-Post Ads612710600Text Domain Mismatch
#2682Custom Buttons for WooCommerce – Add To Cart Button for Product Types615842k+Text Domain Mismatch
#2683Compact WP Audio Player61122120k+Non-prefixed function
#2684Constructor for SiteOrigin61296600Output is not escaped
#2685Disable Right Click For WP61151210k+Missing nonce verification
#2686Equal Height Columns6124510k+Output is not escaped
#2687GamiPress – Link61325800Output is not escaped
#2688Hotjar6116470k+Output is not escaped
#2689jQuery Lightbox612231k+Output is not escaped
#2690Media Library Helper — Bulk edit image ALT, caption & description61167010k+Non-prefixed global variable
#2691Mentions Legales Par Webdeclic618239500Non Singular String Literal Domain
#2692Newspack Newsletters6153471k+Request data is not unslashed
#2693Organic Custom Content61818700Input is not sanitized
#2694PW WooCommerce Copy Coupon6115171k+Text Domain Mismatch
#2695Remove Featured Image6121121k+Missing Arg Domain
#2696SSL Certificate Manager61147600Output is not escaped
#2697QR Code PicPay for WooCommerce611525600Non-prefixed global variable
#2698Show Variations as Single Products for WooCommerce611227500Unsafe printing function
#2699Bulk Edit YOAST SEO fields in Spreadsheet6156161k+Non Singular String Literal Domain
#2700WP-UTF8-Excerpt611710700Unsafe printing function