WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2651 | Nginx Cache | 58 | 12 | 8 | 10k+ | Unsafe printing function | ||
| #2652 | PW WooCommerce BOGO | 58 | 30 | 8 | 400 | Unsafe printing function | ||
| #2653 | Remove CPT base | 58 | 15 | 16 | 10k+ | Input is not sanitized | ||
| #2654 | Ultimate Member – Online Users | 58 | 25 | 4 | 3k+ | Output is not escaped | ||
| #2655 | WebP Express Plus | 58 | 19 | 11 | 700 | Unsafe printing function | ||
| #2656 | Cloak Affiliate Links for WooCommerce | 58 | 28 | 6 | 2k+ | Non Singular String Literal Domain | ||
| #2657 | WP Healthcheck | 58 | 37 | 73 | 1k+ | Non-prefixed global variable | ||
| #2658 | Cresta Posts Box | 59 | 10 | 13 | 1k+ | Output is not escaped | ||
| #2659 | etracker analytics | 59 | 16 | 9 | 1k+ | Exception output is not escaped | ||
| #2660 | Gettext override translations | 59 | 33 | 7 | 2k+ | Missing Arg Domain | ||
| #2661 | Gravity Forms: Notification Attachments | 59 | 18 | 7 | 500 | Output is not escaped | ||
| #2662 | Gravity Forms Approvals Add-On | 59 | 17 | 6 | 800 | Output is not escaped | ||
| #2663 | Logo or Image Replace by mycore.global | 59 | 30 | 12 | 400 | Text Domain Mismatch | ||
| #2664 | Multiple Packages for WooCommerce | 59 | 34 | 4 | 600 | Text Domain Mismatch | ||
| #2665 | Post Type Select Field for Advanced Custom Fields | 59 | 48 | 1 | 900 | Text Domain Mismatch | ||
| #2666 | Resize Image After Upload | 59 | 15 | 11 | 80k+ | Output is not escaped | ||
| #2667 | Videojs HTML5 Player | 59 | 12 | 12 | 8k+ | Nonce verification recommended | ||
| #2668 | Konnect Payment Gateway for WooCommerce | 59 | 39 | 16 | 400 | Text Domain Mismatch | ||
| #2669 | WP Shortcode by MyThemeShop | 59 | 32 | 5 | 10k+ | Output is not escaped | ||
| #2670 | WPML Widgets | 59 | 9 | 9 | 9k+ | Unsafe printing function | ||
| #2671 | Accesibilidad Web con el Widget de AccedeMe | 60 | 22 | 23 | 1k+ | Text Domain Mismatch | ||
| #2672 | Contact Form 7 – Phone mask field | 60 | 21 | 7 | 20k+ | Unsafe printing function | ||
| #2673 | Contact Form 7 Modules | 60 | 47 | 15 | 5k+ | Text Domain Mismatch | ||
| #2674 | Flat Rate per State/Country/Region for WooCommerce | 60 | 27 | 4 | 1k+ | Output is not escaped | ||
| #2675 | GamiPress – Button | 60 | 34 | 8 | 900 | Text Domain Mismatch | ||
| #2676 | Interactive Polish Map | 60 | 30 | 4 | 500 | Output is not escaped | ||
| #2677 | Material Design for WordPress | 60 | 51 | 207 | 800 | Non-prefixed global variable | ||
| #2678 | Simple Owl Carousel | 60 | 23 | 13 | 500 | Missing Translators Comment | ||
| #2679 | Accessibility Font Resizer | 61 | 54 | 1 | 800 | Text Domain Mismatch | ||
| #2680 | Ads.txt Manager | 61 | 33 | 16 | 4k+ | Text Domain Mismatch | ||
| #2681 | In-Post Ads | 61 | 27 | 10 | 600 | Text Domain Mismatch | ||
| #2682 | Custom Buttons for WooCommerce – Add To Cart Button for Product Types | 61 | 58 | 4 | 2k+ | Text Domain Mismatch | ||
| #2683 | Compact WP Audio Player | 61 | 12 | 21 | 20k+ | Non-prefixed function | ||
| #2684 | Constructor for SiteOrigin | 61 | 29 | 6 | 600 | Output is not escaped | ||
| #2685 | Disable Right Click For WP | 61 | 15 | 12 | 10k+ | Missing nonce verification | ||
| #2686 | Equal Height Columns | 61 | 24 | 5 | 10k+ | Output is not escaped | ||
| #2687 | GamiPress – Link | 61 | 32 | 5 | 800 | Output is not escaped | ||
| #2688 | Hotjar | 61 | 16 | 4 | 70k+ | Output is not escaped | ||
| #2689 | jQuery Lightbox | 61 | 22 | 3 | 1k+ | Output is not escaped | ||
| #2690 | Media Library Helper — Bulk edit image ALT, caption & description | 61 | 16 | 70 | 10k+ | Non-prefixed global variable | ||
| #2691 | Mentions Legales Par Webdeclic | 61 | 82 | 39 | 500 | Non Singular String Literal Domain | ||
| #2692 | Newspack Newsletters | 61 | 53 | 47 | 1k+ | Request data is not unslashed | ||
| #2693 | Organic Custom Content | 61 | 8 | 18 | 700 | Input is not sanitized | ||
| #2694 | PW WooCommerce Copy Coupon | 61 | 15 | 17 | 1k+ | Text Domain Mismatch | ||
| #2695 | Remove Featured Image | 61 | 21 | 12 | 1k+ | Missing Arg Domain | ||
| #2696 | SSL Certificate Manager | 61 | 14 | 7 | 600 | Output is not escaped | ||
| #2697 | QR Code PicPay for WooCommerce | 61 | 15 | 25 | 600 | Non-prefixed global variable | ||
| #2698 | Show Variations as Single Products for WooCommerce | 61 | 12 | 27 | 500 | Unsafe printing function | ||
| #2699 | Bulk Edit YOAST SEO fields in Spreadsheet | 61 | 56 | 16 | 1k+ | Non Singular String Literal Domain | ||
| #2700 | WP-UTF8-Excerpt | 61 | 17 | 10 | 700 | Unsafe printing function |