WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2701 | Custom Site Logo | 62 | 26 | 4 | 1k+ | Unsafe printing function | ||
| #2702 | Disable Visual Editor WYSIWYG | 62 | 10 | 12 | 1k+ | Nonce verification recommended | ||
| #2703 | Genesis Accessible | 62 | 49 | 17 | 500 | Text Domain Mismatch | ||
| #2704 | Include Matomo Tracking, by Jonas Hellmann | 62 | 14 | 4 | 500 | Setting is missing a sanitization callback | ||
| #2705 | Single Post Template | 62 | 14 | 8 | 4k+ | Text Domain Mismatch | ||
| #2706 | Sitewide Notice WP | 62 | 6 | 13 | 3k+ | Output is not escaped | ||
| #2707 | Uber Login Logo | 62 | 16 | 5 | 10k+ | Unsafe printing function | ||
| #2708 | WiserNotify – Social Proof & FOMO Notifications, WooCommerce Sales Popups, Reviews & Announcement Bar | 62 | 13 | 32 | 1k+ | Request data is not unslashed | ||
| #2709 | WP Category Sort | 62 | 15 | 22 | 500 | Text Domain Mismatch | ||
| #2710 | Zen Menu Logic | 62 | 19 | 3 | 1k+ | Output is not escaped | ||
| #2711 | cbnet Multi Author Comment Notification | 63 | 18 | 7 | 1k+ | Output is not escaped | ||
| #2712 | Christmasify! | 63 | 18 | 7 | 2k+ | Output is not escaped | ||
| #2713 | Classic Editor | 63 | 17 | 7 | 9m+ | Unsafe printing function | ||
| #2714 | Classic Text Widget | 63 | 25 | 1 | 2k+ | Output is not escaped | ||
| #2715 | Creative Clans Embed Script | 63 | 10 | 9 | 600 | Input is not sanitized | ||
| #2716 | Placeholder Image for WooCommerce | 63 | 31 | 5 | 400 | Output is not escaped | ||
| #2717 | Email Post Changes | 63 | 43 | 8 | 500 | Missing Arg Domain | ||
| #2718 | FeedFocal | 63 | 16 | 6 | 2k+ | Unsafe printing function | ||
| #2719 | Happierleads – Identify your B2B website visitors even if they work remotely | 63 | 32 | 7 | 600 | wp function not compatible with requires wp | ||
| #2720 | Hide Admin Bar From Front End | 63 | 8 | 17 | 1k+ | Input is not validated | ||
| #2721 | Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy | 63 | 31 | 16 | 100k+ | Missing direct file access protection | ||
| #2722 | Integrate GA4 Google Analytics | 63 | 33 | 3 | 500 | Text Domain Mismatch | ||
| #2723 | Latest Posts | 63 | 27 | 1 | 5k+ | Output is not escaped | ||
| #2724 | Social Intents – Live Chat | 63 | 42 | 11 | 400 | Non Singular String Literal Domain | ||
| #2725 | Missed Scheduled Posts Publisher by WPBeginner | 63 | 16 | 17 | 30k+ | Text Domain Mismatch | ||
| #2726 | Recent Posts by Category Widget | 63 | 24 | 0 | 4k+ | Output is not escaped | ||
| #2727 | Simple WWW Redirect | 63 | 26 | 5 | 1k+ | Output is not escaped | ||
| #2728 | Phone Validator for WooCommerce | 63 | 8 | 33 | 1k+ | Missing nonce verification | ||
| #2729 | Admin CSS MU | 64 | 30 | 582 | 10k+ | Non-prefixed global variable | ||
| #2730 | Broadly for WordPress | 64 | 18 | 5 | 500 | Unsafe printing function | ||
| #2731 | CodeColorer | 64 | 65 | 266 | 1k+ | Non-prefixed global variable | ||
| #2732 | Delete Unscaled Images | 64 | 24 | 4 | 800 | Text Domain Mismatch | ||
| #2733 | Easy Duplicate Woo Order | 64 | 17 | 10 | 1k+ | Unsafe printing function | ||
| #2734 | Embed Google Fonts | 64 | 28 | 7 | 5k+ | Output is not escaped | ||
| #2735 | Image Hover Effects – Elementor Addon | 64 | 117 | 7 | 40k+ | Text Domain Mismatch | ||
| #2736 | Master Post Advert | 64 | 26 | 4 | 1k+ | Unsafe printing function | ||
| #2737 | Moosend Website Connector | 64 | 15 | 12 | 1k+ | Non Singular String Literal Domain | ||
| #2738 | New Recent Posts Select Categories By Thao Marky | 64 | 33 | 1 | 500 | Text Domain Mismatch | ||
| #2739 | Nofollow for external link | 64 | 8 | 5 | 10k+ | Output is not escaped | ||
| #2740 | Page in Widget | 64 | 26 | 0 | 1k+ | Output is not escaped | ||
| #2741 | Page Tag Cloud | 64 | 21 | 3 | 500 | Output is not escaped | ||
| #2742 | PHP Code Widget | 64 | 22 | 1 | 80k+ | Output is not escaped | ||
| #2743 | Simple HTTPS Redirect | 64 | 19 | 5 | 900 | Output is not escaped | ||
| #2744 | Stag Custom Sidebars | 64 | 10 | 12 | 2k+ | Text Domain Mismatch | ||
| #2745 | Oceanwp sticky header | 64 | 8 | 13 | 10k+ | Missing nonce verification | ||
| #2746 | Sticky Side Buttons | 64 | 27 | 4 | 10k+ | Unsafe printing function | ||
| #2747 | Thumbnail Crop Position | 64 | 43 | 1 | 2k+ | Output is not escaped | ||
| #2748 | YaMaps for WordPress Plugin | 64 | 21 | 30 | 10k+ | Non-prefixed global variable | ||
| #2749 | ACF: Sidebar Selector | 65 | 27 | 2 | 800 | Output is not escaped | ||
| #2750 | Custom Product Tabs for WooCommerce WP All Import Add-on | 65 | 18 | 18 | 1k+ | Non-prefixed global variable |