WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2801 | PagBank for WooCommerce | 68 | 8 | 36 | 3k+ | Input is not sanitized | ||
| #2802 | Pinterest Verify Meta Tag | 68 | 20 | 6 | 600 | Output is not escaped | ||
| #2803 | Postepay Gateway per Woocommerce | 68 | 36 | 4 | 1k+ | Text Domain Mismatch | ||
| #2804 | Reusable Gutenberg Blocks Widget | 68 | 24 | 9 | 500 | Output is not escaped | ||
| #2805 | Smartarget – Chat Buttons & Engagement Apps | 68 | 31 | 11 | 1k+ | Non Singular String Literal Domain | ||
| #2806 | WP Favicon | 68 | 25 | 9 | 500 | Non Singular String Literal Domain | ||
| #2807 | WP Smart Preloader | 68 | 27 | 10 | 5k+ | Output is not escaped | ||
| #2808 | Bulk menu creator | 69 | 27 | 4 | 1k+ | Text Domain Mismatch | ||
| #2809 | Custom Category Template | 69 | 13 | 8 | 2k+ | Missing Arg Domain | ||
| #2810 | Custom Field For WP Job Manager | 69 | 16 | 54 | 900 | Non-prefixed global variable | ||
| #2811 | Dashboard Commander | 69 | 13 | 2 | 900 | Output is not escaped | ||
| #2812 | Disable Users | 69 | 11 | 9 | 2k+ | Text Domain Mismatch | ||
| #2813 | Email as Username for WP-Members | 69 | 15 | 8 | 700 | Text Domain Mismatch | ||
| #2814 | HelpCrunch – Live Chat, Chatbot & Knowledge Base for Customer Service | 69 | 15 | 1 | 2k+ | Output is not escaped | ||
| #2815 | Simple Login Lockdown | 69 | 13 | 6 | 4k+ | Output is not escaped | ||
| #2816 | Simple Mathjax | 69 | 29 | 3 | 4k+ | Short PHP open tag found | ||
| #2817 | TJ Custom CSS | 69 | 18 | 10 | 8k+ | Output is not escaped | ||
| #2818 | Easy Username Updater | 69 | 19 | 28 | 10k+ | Missing Arg Domain | ||
| #2819 | Library | 70 | 14 | 3 | 700 | Output is not escaped | ||
| #2820 | RSS Importer | 70 | 14 | 2 | 30k+ | Output is not escaped | ||
| #2821 | Support Me | 70 | 12 | 6 | 900 | Unsafe printing function | ||
| #2822 | ACF Enhanced Message Field | 71 | 29 | 1 | 600 | Text Domain Mismatch | ||
| #2823 | Advanced Custom Fields: Price Field | 71 | 12 | 7 | 400 | Output is not escaped | ||
| #2824 | ACF Tooltip | 71 | 16 | 3 | 1k+ | Output is not escaped | ||
| #2825 | Bootstrap Shortcodes | 71 | 21 | 11 | 5k+ | Missing direct file access protection | ||
| #2826 | Comfortable Reading | 71 | 16 | 8 | 2k+ | Output is not escaped | ||
| #2827 | Cresta Social Messenger | 71 | 9 | 10 | 1k+ | Non-prefixed function | ||
| #2828 | Visual Bible Verse of the Day Widget | 71 | 27 | 1 | 900 | Output is not escaped | ||
| #2829 | WP IE Buster | 71 | 13 | 3 | 800 | Output is not escaped | ||
| #2830 | WP No Base Permalink | 71 | 8 | 10 | 10k+ | Unsafe printing function | ||
| #2831 | WPS Notice Center | 71 | 12 | 7 | 3k+ | Unsafe printing function | ||
| #2832 | Call Now and Chat Buttons | 72 | 13 | 2 | 5k+ | Setting is missing a sanitization callback | ||
| #2833 | Disable Title | 72 | 20 | 15 | 2k+ | Text Domain Mismatch | ||
| #2834 | Display your Checkatrade | 72 | 19 | 3 | 400 | Output is not escaped | ||
| #2835 | Gravity Forms CSS Ready Class Selector | 72 | 18 | 4 | 4k+ | Non Singular String Literal Domain | ||
| #2836 | jQuery Masonry Image Gallery | 72 | 17 | 6 | 1k+ | Unsafe printing function | ||
| #2837 | Featured Image in RSS Feed by MailerLite | 72 | 12 | 7 | 1k+ | Output is not escaped | ||
| #2838 | MemcacheD Is Your Friend | 72 | 23 | 33 | 1k+ | Non-prefixed function | ||
| #2839 | My-Plugins | 72 | 24 | 6 | 30k+ | Missing Arg Domain | ||
| #2840 | Robots.txt Editor | 72 | 10 | 7 | 10k+ | Input is not validated or sanitized | ||
| #2841 | Storefront Product Sharing | 72 | 13 | 3 | 4k+ | Output is not escaped | ||
| #2842 | Tabs Widget for Page Builder | 72 | 22 | 7 | 3k+ | Text Domain Mismatch | ||
| #2843 | ShinyStat Widget | 72 | 14 | 2 | 800 | Output is not escaped | ||
| #2844 | BuddyPress Activity Shortcode | 73 | 9 | 14 | 2k+ | Non-prefixed hook name | ||
| #2845 | Export Plugin Details | 73 | 13 | 6 | 2k+ | Output is not escaped | ||
| #2846 | Gravity Fieldset for Gravity Forms | 73 | 14 | 1 | 900 | Output is not escaped | ||
| #2847 | jQuery Lightbox For Native Galleries | 73 | 26 | 7 | 4k+ | Text Domain Mismatch | ||
| #2848 | RPS Include Content | 73 | 13 | 2 | 700 | Output is not escaped | ||
| #2849 | Sweet Custom Dashboard | 73 | 27 | 2 | 400 | Missing Arg Domain | ||
| #2850 | Advanced Custom Fields: Accordion Tab Field | 74 | 14 | 11 | 800 | Missing Version |