WordPress.Security.EscapeOutput.UnsafePrintingFunction
Unsafe printing function
A printing function is outputting dynamic content without proving that the content is escaped.
Why It Shows Up
The scan saw output through functions such as `printf`, `print`, or similar constructs where the printed values were not escaped for their context.
Why It Matters
Formatted output is still browser output. If any argument contains attacker-controlled content, the page can become vulnerable to cross-site scripting.
How to Fix
- Escape every dynamic argument with `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses()` as appropriate.
- Keep translation wrappers and escaping wrappers in the correct order, such as `esc_html__( 'Text', 'text-domain' )` for translated text.
- Avoid marking values as safe unless they are hard-coded or already strictly constrained.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #351 | WOW Styler for CF7 – Visual Styler for Contact Form 7 Forms | 24 | 534 | 1,559 | 3k+ | Non-prefixed global variable | ||
| #352 | Church Admin | 24 | 1,554 | 4,207 | 900 | Direct Query | ||
| #353 | CleanTalk Anti-Spam. Spam Firewall & Bot protection | 24 | 818 | 1,092 | 200k+ | Missing nonce verification | ||
| #354 | Smart Online Order for Clover | 24 | 1,746 | 1,246 | 1k+ | Text Domain Mismatch | ||
| #355 | CM Pop-Up – Create engaging popups to capture attention and boost interaction | 24 | 466 | 408 | 8k+ | Output is not escaped | ||
| #356 | CMP – Coming Soon & Maintenance Plugin by NiteoThemes | 24 | 949 | 1,336 | 200k+ | Non-prefixed global variable | ||
| #357 | Complianz – GDPR/CCPA Cookie Consent | 24 | 487 | 403 | 1m+ | Missing Arg Domain | ||
| #358 | RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress | 24 | 828 | 3,665 | 500 | Request data is not unslashed | ||
| #359 | CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7 | 24 | 1,034 | 1,396 | 300k+ | Non-prefixed global variable | ||
| #360 | Contact Form by Supsystic | 24 | 1,913 | 633 | 6k+ | Non Singular String Literal Domain | ||
| #361 | WPBot – ChatBot Conversational Forms | 24 | 1,254 | 1,226 | 2k+ | Text Domain Mismatch | ||
| #362 | CRM Perks Forms – WordPress Form Builder | 24 | 819 | 577 | 1k+ | Output is not escaped | ||
| #363 | Custom Twitter Feeds – A Tweets Widget or X Feed Widget | 24 | 446 | 922 | 100k+ | Output is not escaped | ||
| #364 | WP Customer Area | 24 | 3,306 | 941 | 10k+ | Text Domain Mismatch | ||
| #365 | Customer Reviews for WooCommerce | 24 | 2,202 | 2,445 | 80k+ | Output is not escaped | ||
| #366 | WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) | 24 | 845 | 2,643 | 4k+ | Non-prefixed global variable | ||
| #367 | Digital License Manager | 24 | 295 | 670 | 800 | Non-prefixed hook name | ||
| #368 | Double Opt-In for Contact Form 7 – Secure, GDPR-Compliant Email Verification | 24 | 233 | 441 | 1k+ | Non-prefixed hook name | ||
| #369 | Doubly – Cross Domain Copy Paste for WordPress | 24 | 252 | 55 | 10k+ | Output is not escaped | ||
| #370 | Drop Shadow Boxes | 24 | 642 | 1,290 | 4k+ | Non-prefixed global variable | ||
| #371 | Dynamic Widgets | 24 | 631 | 812 | 10k+ | Non-prefixed global variable | ||
| #372 | Easy Invoice – Invoice Generator, PDF Quotes & Payments | 24 | 1,366 | 2,013 | 500 | Non-prefixed global variable | ||
| #373 | Easy Modal | 24 | 564 | 299 | 7k+ | Unsafe printing function | ||
| #374 | E-cab Taxi Booking Manager for Woocommerce | 24 | 356 | 1,462 | 2k+ | Non-prefixed global variable | ||
| #375 | eCommerce Product Catalog Plugin for WordPress | 24 | 621 | 3,177 | 7k+ | Non-prefixed function | ||
| #376 | EmbedPress – PDF Embedder, 3D PDF FlipBook, Google Reviews, YouTube Videos, Upload & Embed PDF documents | 24 | 711 | 1,588 | 100k+ | Output is not escaped | ||
| #377 | Enable Media Replace | 24 | 212 | 276 | 600k+ | Output is not escaped | ||
| #378 | Event Tickets and Registration | 24 | 3,409 | 4,217 | 90k+ | Non-prefixed global variable | ||
| #379 | Fast Velocity Minify | 24 | 282 | 256 | 40k+ | Unsafe printing function | ||
| #380 | Fattura24 | 24 | 312 | 333 | 400 | Output is not escaped | ||
| #381 | Featured Image from URL (FIFU) | 24 | 1,654 | 418 | 70k+ | Non Singular String Literal Domain | ||
| #382 | Featured Post with thumbnail | 24 | 158 | 122 | 400 | Output is not escaped | ||
| #383 | Fix Alt Text | 24 | 544 | 346 | 1k+ | Non Singular String Literal Domain | ||
| #384 | Food Store – Online Food Delivery & Pickup | 24 | 862 | 1,941 | 1k+ | Non-prefixed global variable | ||
| #385 | Football Pool | 24 | 1,085 | 733 | 1k+ | Output is not escaped | ||
| #386 | Force Sell for WooCommerce | 24 | 697 | 455 | 600 | Text Domain Mismatch | ||
| #387 | FV Simpler SEO | 24 | 766 | 308 | 2k+ | Text Domain Mismatch | ||
| #388 | FV Player 8 | 24 | 323 | 1,383 | 1k+ | Non-prefixed function | ||
| #389 | Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress | 24 | 536 | 322 | 10k+ | Text Domain Mismatch | ||
| #390 | Genealogical Tree – Family Tree & Ancestry for WordPress | 24 | 560 | 1,641 | 600 | Non-prefixed global variable | ||
| #391 | GEO my WP | 24 | 554 | 2,091 | 3k+ | Non-prefixed hook name | ||
| #392 | GG Woo Feed for WooCommerce Shopping Feed on Google and Other Channels | 24 | 469 | 592 | 1k+ | Non-prefixed global variable | ||
| #393 | Connector Wizard (formerly LC Wizard) | 24 | 249 | 448 | 1k+ | Non-prefixed function | ||
| #394 | Assets manager, dequeue scripts, dequeue styles for WordPress | 24 | 592 | 255 | 2k+ | Output is not escaped | ||
| #395 | Simple Calendar – Google Calendar Plugin | 24 | 2,053 | 592 | 50k+ | Missing direct file access protection | ||
| #396 | Easy Google Maps | 24 | 1,764 | 389 | 20k+ | Non Singular String Literal Domain | ||
| #397 | Grid/List View for WooCommerce | 24 | 1,116 | 546 | 2k+ | Output is not escaped | ||
| #398 | GS Behance Portfolio – Display Projects, Gallery & Slider | 24 | 855 | 1,617 | 400 | Non-prefixed global variable | ||
| #399 | HT Mega Addons for Elementor – Elementor Widgets & Template Builder | 24 | 12,352 | 1,474 | 70k+ | Text Domain Mismatch | ||
| #400 | Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN | 24 | 3,410 | 866 | 70k+ | Text Domain Mismatch |