WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2751Futy.io Leadbots657392k+wp function not compatible with requires wp
#2752Genesis Visual Hook Guide651314700Nonce verification recommended
#2753WP All Import – Import SEO Settings for All In One SEO651911900Output is not escaped
#2754Integration for Elementor forms – Sendinblue6594567k+Text Domain Mismatch
#2755Slider Revolution Search Replace65514900Input is not validated
#2756User Last Login65275600Output is not escaped
#2757Lime Connect (formerly Userlike) – WordPress Live Chat plugin65223900Output is not escaped
#2758Vf Expansion6558521k+Non-prefixed global variable
#2759Add to Cart Text Changer and Customize Button, Add Custom Icon6587182k+Text Domain Mismatch
#2760WP SEO HTML Sitemap6522156k+Output is not escaped
#2761ACF RGBA Color Picker663736k+Text Domain Mismatch
#2762Calculated fields for ACF665181k+Non-prefixed global variable
#2763Custom Login Page Templates – Change Logo, Background and CSS662552k+Missing Arg Domain
#2764Custom Posts Per Page66202900Unsafe printing function
#2765Custom Posts Per Page Reloaded66403700Text Domain Mismatch
#2766No Right Click, Content Copy Protection, Disable Right Click by RB66232600Unsafe printing function
#2767Duplicate Menu66117100k+Unsafe printing function
#2768Font Size66171600Unsafe printing function
#2769Free Property Valuation (Lead Generator) / Kostenlose Immobilienbewertung66115600Unsafe printing function
#2770LeadBack – Callback, Chatbot and Live Chat Widgets for WordPress sites66175600Unsafe printing function
#2771Link Widget Title662254k+Output is not escaped
#2772Page Meta662614700Missing Arg Domain
#2773Product Size Chart For WooCommerce669226k+Non-prefixed hook name
#2774Shortcode for Current Date66271210k+Text Domain Mismatch
#2775User Profile Picture66984k+Missing nonce verification
#2776Frenet Shipping Gateway for WooCommerce – Correios, Etiquetas e Rastreio6622314k+Non-prefixed global variable
#2777WooCommerce Accepted Payment Methods662842k+badly named files
#2778Add Logo to Admin671436k+Unsafe printing function
#2779Address correction autocomplete for Woo671991k+Text Domain Mismatch
#2780CCM19 Integration6714134k+Nonce verification recommended
#2781Dynamic Text Field For Contact Form 7672071k+Unsafe printing function
#2782Forget Spam Comment6751010k+Input is not sanitized
#2783Leadster676104k+Non-prefixed function
#2784Simple Calendar – Advanced Custom Fields67186400Output is not escaped
#2785Simple HTTPS671713400Output is not escaped
#2786Simple Membership Custom Messages674707k+Text Domain Mismatch
#2787Text Expander675015600wp function not compatible with requires wp
#2788Widget Contact Form 7672221k+Output is not escaped
#2789WP-Copyright-Protection672455k+wp function not compatible with requires wp
#2790JAMstack Deployments673331k+Short PHP open tag found
#2791WP Logout Redirect67205400Unsafe printing function
#2792Autoclear Autoptimize Cache681638k+Output is not escaped
#2793Default Attributes for WooCommerce682218400Non-prefixed hook name
#2794Exchange Rates Today68910400Non-prefixed function
#2795Expire Sticky Posts681681k+Text Domain Mismatch
#2796Guestplan Booking Widget684361k+Text Domain Mismatch
#2797Logo Switcher68142800Output is not escaped
#2798PagBank for WooCommerce688363k+Input is not sanitized
#2799Pinterest Verify Meta Tag68206600Output is not escaped
#2800Postepay Gateway per Woocommerce683641k+Text Domain Mismatch