WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2751 | Futy.io Leadbots | 65 | 73 | 9 | 2k+ | wp function not compatible with requires wp | ||
| #2752 | Genesis Visual Hook Guide | 65 | 13 | 14 | 700 | Nonce verification recommended | ||
| #2753 | WP All Import – Import SEO Settings for All In One SEO | 65 | 19 | 11 | 900 | Output is not escaped | ||
| #2754 | Integration for Elementor forms – Sendinblue | 65 | 94 | 56 | 7k+ | Text Domain Mismatch | ||
| #2755 | Slider Revolution Search Replace | 65 | 5 | 14 | 900 | Input is not validated | ||
| #2756 | User Last Login | 65 | 27 | 5 | 600 | Output is not escaped | ||
| #2757 | Lime Connect (formerly Userlike) – WordPress Live Chat plugin | 65 | 22 | 3 | 900 | Output is not escaped | ||
| #2758 | Vf Expansion | 65 | 58 | 52 | 1k+ | Non-prefixed global variable | ||
| #2759 | Add to Cart Text Changer and Customize Button, Add Custom Icon | 65 | 87 | 18 | 2k+ | Text Domain Mismatch | ||
| #2760 | WP SEO HTML Sitemap | 65 | 22 | 15 | 6k+ | Output is not escaped | ||
| #2761 | ACF RGBA Color Picker | 66 | 37 | 3 | 6k+ | Text Domain Mismatch | ||
| #2762 | Calculated fields for ACF | 66 | 5 | 18 | 1k+ | Non-prefixed global variable | ||
| #2763 | Custom Login Page Templates – Change Logo, Background and CSS | 66 | 25 | 5 | 2k+ | Missing Arg Domain | ||
| #2764 | Custom Posts Per Page | 66 | 20 | 2 | 900 | Unsafe printing function | ||
| #2765 | Custom Posts Per Page Reloaded | 66 | 40 | 3 | 700 | Text Domain Mismatch | ||
| #2766 | No Right Click, Content Copy Protection, Disable Right Click by RB | 66 | 23 | 2 | 600 | Unsafe printing function | ||
| #2767 | Duplicate Menu | 66 | 11 | 7 | 100k+ | Unsafe printing function | ||
| #2768 | Font Size | 66 | 17 | 1 | 600 | Unsafe printing function | ||
| #2769 | Free Property Valuation (Lead Generator) / Kostenlose Immobilienbewertung | 66 | 11 | 5 | 600 | Unsafe printing function | ||
| #2770 | LeadBack – Callback, Chatbot and Live Chat Widgets for WordPress sites | 66 | 17 | 5 | 600 | Unsafe printing function | ||
| #2771 | Link Widget Title | 66 | 22 | 5 | 4k+ | Output is not escaped | ||
| #2772 | Page Meta | 66 | 26 | 14 | 700 | Missing Arg Domain | ||
| #2773 | Product Size Chart For WooCommerce | 66 | 9 | 22 | 6k+ | Non-prefixed hook name | ||
| #2774 | Shortcode for Current Date | 66 | 27 | 12 | 10k+ | Text Domain Mismatch | ||
| #2775 | User Profile Picture | 66 | 9 | 8 | 4k+ | Missing nonce verification | ||
| #2776 | Frenet Shipping Gateway for WooCommerce – Correios, Etiquetas e Rastreio | 66 | 22 | 31 | 4k+ | Non-prefixed global variable | ||
| #2777 | WooCommerce Accepted Payment Methods | 66 | 28 | 4 | 2k+ | badly named files | ||
| #2778 | Add Logo to Admin | 67 | 14 | 3 | 6k+ | Unsafe printing function | ||
| #2779 | Address correction autocomplete for Woo | 67 | 19 | 9 | 1k+ | Text Domain Mismatch | ||
| #2780 | CCM19 Integration | 67 | 14 | 13 | 4k+ | Nonce verification recommended | ||
| #2781 | Dynamic Text Field For Contact Form 7 | 67 | 20 | 7 | 1k+ | Unsafe printing function | ||
| #2782 | Forget Spam Comment | 67 | 5 | 10 | 10k+ | Input is not sanitized | ||
| #2783 | Leadster | 67 | 6 | 10 | 4k+ | Non-prefixed function | ||
| #2784 | Simple Calendar – Advanced Custom Fields | 67 | 18 | 6 | 400 | Output is not escaped | ||
| #2785 | Simple HTTPS | 67 | 17 | 13 | 400 | Output is not escaped | ||
| #2786 | Simple Membership Custom Messages | 67 | 47 | 0 | 7k+ | Text Domain Mismatch | ||
| #2787 | Text Expander | 67 | 50 | 15 | 600 | wp function not compatible with requires wp | ||
| #2788 | Widget Contact Form 7 | 67 | 22 | 2 | 1k+ | Output is not escaped | ||
| #2789 | WP-Copyright-Protection | 67 | 24 | 5 | 5k+ | wp function not compatible with requires wp | ||
| #2790 | JAMstack Deployments | 67 | 33 | 3 | 1k+ | Short PHP open tag found | ||
| #2791 | WP Logout Redirect | 67 | 20 | 5 | 400 | Unsafe printing function | ||
| #2792 | Autoclear Autoptimize Cache | 68 | 16 | 3 | 8k+ | Output is not escaped | ||
| #2793 | Default Attributes for WooCommerce | 68 | 22 | 18 | 400 | Non-prefixed hook name | ||
| #2794 | Exchange Rates Today | 68 | 9 | 10 | 400 | Non-prefixed function | ||
| #2795 | Expire Sticky Posts | 68 | 16 | 8 | 1k+ | Text Domain Mismatch | ||
| #2796 | Guestplan Booking Widget | 68 | 43 | 6 | 1k+ | Text Domain Mismatch | ||
| #2797 | Logo Switcher | 68 | 14 | 2 | 800 | Output is not escaped | ||
| #2798 | PagBank for WooCommerce | 68 | 8 | 36 | 3k+ | Input is not sanitized | ||
| #2799 | Pinterest Verify Meta Tag | 68 | 20 | 6 | 600 | Output is not escaped | ||
| #2800 | Postepay Gateway per Woocommerce | 68 | 36 | 4 | 1k+ | Text Domain Mismatch |