WordPress.Security.EscapeOutput.UnsafePrintingFunction

Unsafe printing function

A printing function is outputting dynamic content without proving that the content is escaped.

critical weight

Why It Shows Up

The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.

Why It Matters

Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.

How to Fix

  • Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
  • Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
  • Avoid marking values as safe unless they are hard-coded or already strictly constrained.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2801PagBank for WooCommerce688363k+Input is not sanitized
#2802Pinterest Verify Meta Tag68206600Output is not escaped
#2803Postepay Gateway per Woocommerce683641k+Text Domain Mismatch
#2804Reusable Gutenberg Blocks Widget68249500Output is not escaped
#2805Smartarget – Chat Buttons & Engagement Apps6831111k+Non Singular String Literal Domain
#2806WP Favicon68259500Non Singular String Literal Domain
#2807WP Smart Preloader6827105k+Output is not escaped
#2808Bulk menu creator692741k+Text Domain Mismatch
#2809Custom Category Template691382k+Missing Arg Domain
#2810Custom Field For WP Job Manager691654900Non-prefixed global variable
#2811Dashboard Commander69132900Output is not escaped
#2812Disable Users691192k+Text Domain Mismatch
#2813Email as Username for WP-Members69158700Text Domain Mismatch
#2814HelpCrunch – Live Chat, Chatbot & Knowledge Base for Customer Service691512k+Output is not escaped
#2815Simple Login Lockdown691364k+Output is not escaped
#2816Simple Mathjax692934k+Short PHP open tag found
#2817TJ Custom CSS6918108k+Output is not escaped
#2818Easy Username Updater69192810k+Missing Arg Domain
#2819Library70143700Output is not escaped
#2820RSS Importer7014230k+Output is not escaped
#2821Support Me70126900Unsafe printing function
#2822ACF Enhanced Message Field71291600Text Domain Mismatch
#2823Advanced Custom Fields: Price Field71127400Output is not escaped
#2824ACF Tooltip711631k+Output is not escaped
#2825Bootstrap Shortcodes7121115k+Missing direct file access protection
#2826Comfortable Reading711682k+Output is not escaped
#2827Cresta Social Messenger719101k+Non-prefixed function
#2828Visual Bible Verse of the Day Widget71271900Output is not escaped
#2829WP IE Buster71133800Output is not escaped
#2830WP No Base Permalink7181010k+Unsafe printing function
#2831WPS Notice Center711273k+Unsafe printing function
#2832Call Now and Chat Buttons721325k+Setting is missing a sanitization callback
#2833Disable Title7220152k+Text Domain Mismatch
#2834Display your Checkatrade72193400Output is not escaped
#2835Gravity Forms CSS Ready Class Selector721844k+Non Singular String Literal Domain
#2836jQuery Masonry Image Gallery721761k+Unsafe printing function
#2837Featured Image in RSS Feed by MailerLite721271k+Output is not escaped
#2838MemcacheD Is Your Friend7223331k+Non-prefixed function
#2839My-Plugins7224630k+Missing Arg Domain
#2840Robots.txt Editor7210710k+Input is not validated or sanitized
#2841Storefront Product Sharing721334k+Output is not escaped
#2842Tabs Widget for Page Builder722273k+Text Domain Mismatch
#2843ShinyStat Widget72142800Output is not escaped
#2844BuddyPress Activity Shortcode739142k+Non-prefixed hook name
#2845Export Plugin Details731362k+Output is not escaped
#2846Gravity Fieldset for Gravity Forms73141900Output is not escaped
#2847jQuery Lightbox For Native Galleries732674k+Text Domain Mismatch
#2848RPS Include Content73132700Output is not escaped
#2849Sweet Custom Dashboard73272400Missing Arg Domain
#2850Advanced Custom Fields: Accordion Tab Field741411800Missing Version