WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2701Custom Site Logo622641k+Unsafe printing function
#2702Disable Visual Editor WYSIWYG6210121k+Nonce verification recommended
#2703Genesis Accessible624917500Text Domain Mismatch
#2704Include Matomo Tracking, by Jonas Hellmann62144500Setting is missing a sanitization callback
#2705Single Post Template621484k+Text Domain Mismatch
#2706Sitewide Notice WP626133k+Output is not escaped
#2707Uber Login Logo6216510k+Unsafe printing function
#2708WiserNotify – Social Proof & FOMO Notifications, WooCommerce Sales Popups, Reviews & Announcement Bar6213321k+Request data is not unslashed
#2709WP Category Sort621522500Text Domain Mismatch
#2710Zen Menu Logic621931k+Output is not escaped
#2711cbnet Multi Author Comment Notification631871k+Output is not escaped
#2712Christmasify!631872k+Output is not escaped
#2713Classic Editor631779m+Unsafe printing function
#2714Classic Text Widget632512k+Output is not escaped
#2715Creative Clans Embed Script63109600Input is not sanitized
#2716Placeholder Image for WooCommerce63315400Output is not escaped
#2717Email Post Changes63438500Missing Arg Domain
#2718FeedFocal631662k+Unsafe printing function
#2719Happierleads – Identify your B2B website visitors even if they work remotely63327600wp function not compatible with requires wp
#2720Hide Admin Bar From Front End638171k+Input is not validated
#2721Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy633116100k+Missing direct file access protection
#2722Integrate GA4 Google Analytics63333500Text Domain Mismatch
#2723Latest Posts632715k+Output is not escaped
#2724Social Intents – Live Chat634211400Non Singular String Literal Domain
#2725Missed Scheduled Posts Publisher by WPBeginner63161730k+Text Domain Mismatch
#2726Recent Posts by Category Widget632404k+Output is not escaped
#2727Simple WWW Redirect632651k+Output is not escaped
#2728Phone Validator for WooCommerce638331k+Missing nonce verification
#2729Admin CSS MU643058210k+Non-prefixed global variable
#2730Broadly for WordPress64185500Unsafe printing function
#2731CodeColorer64652661k+Non-prefixed global variable
#2732Delete Unscaled Images64244800Text Domain Mismatch
#2733Easy Duplicate Woo Order6417101k+Unsafe printing function
#2734Embed Google Fonts642875k+Output is not escaped
#2735Image Hover Effects – Elementor Addon64117740k+Text Domain Mismatch
#2736Master Post Advert642641k+Unsafe printing function
#2737Moosend Website Connector6415121k+Non Singular String Literal Domain
#2738New Recent Posts Select Categories By Thao Marky64331500Text Domain Mismatch
#2739Nofollow for external link648510k+Output is not escaped
#2740Page in Widget642601k+Output is not escaped
#2741Page Tag Cloud64213500Output is not escaped
#2742PHP Code Widget6422180k+Output is not escaped
#2743Simple HTTPS Redirect64195900Output is not escaped
#2744Stag Custom Sidebars6410122k+Text Domain Mismatch
#2745Oceanwp sticky header6481310k+Missing nonce verification
#2746Sticky Side Buttons6427410k+Unsafe printing function
#2747Thumbnail Crop Position644312k+Output is not escaped
#2748YaMaps for WordPress Plugin64213010k+Non-prefixed global variable
#2749ACF: Sidebar Selector65272800Output is not escaped
#2750Custom Product Tabs for WooCommerce WP All Import Add-on6518181k+Non-prefixed global variable