WordPress.Security.EscapeOutput.ExceptionNotEscaped
Exception output is not escaped
An exception message or related exception value is printed without escaping.
Why It Shows Up
The scan found exception data being displayed directly in HTML output.
Why It Matters
Exception messages can include file paths, request values, remote API responses, or database details. Printing them raw can expose information or create XSS risk.
How to Fix
- Use `esc_html()` or another context-appropriate escaping function before displaying exception text.
- Show a generic user-facing message and log the detailed exception for administrators or developers.
- Do not print stack traces, paths, or raw remote responses on public pages.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1 | Intercom | 0 | 60 | 71 | 6k+ | Non-prefixed function | ||
| #2 | Live Shopping & Shoppable Videos For WooCommerce | 0 | 78 | 175 | 400 | Non-prefixed global variable | ||
| #3 | Plugin Check (PCP) | 0 | 128 | 132 | 10k+ | Exception output is not escaped | ||
| #4 | Themify Builder | 9 | 5,195 | 2,096 | 5k+ | Text Domain Mismatch | ||
| #5 | JetBackup – Backup, Restore & Migrate | 10 | 1,559 | 145 | 100k+ | Exception output is not escaped | ||
| #6 | Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more | 15 | 32 | 163 | 500k+ | Direct Query | ||
| #7 | Visual Composer Website Builder | 16 | 82 | 320 | 40k+ | Non-prefixed global variable | ||
| #8 | AnyComment | 17 | 445 | 449 | 5k+ | Output is not escaped | ||
| #9 | Efí Bank | 17 | 886 | 553 | 400 | Exception output is not escaped | ||
| #10 | Podlove Podcast Publisher | 18 | 2,326 | 1,429 | 3k+ | Output is not escaped | ||
| #11 | Property Hive | 18 | 1,957 | 6,027 | 3k+ | Missing nonce verification | ||
| #12 | RestroPress – Online Food Ordering System | 18 | 521 | 3,083 | 1k+ | Non-prefixed global variable | ||
| #13 | Shopping Cart & eCommerce Store | 18 | 5,459 | 17,298 | 4k+ | Non-prefixed global variable | ||
| #14 | Block Slider – Responsive Image Slider, Video Slider & Post Slider | 19 | 555 | 1,291 | 3k+ | Non-prefixed global variable | ||
| #15 | Download Monitor | 19 | 425 | 1,364 | 80k+ | Non-prefixed hook name | ||
| #16 | Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution | 19 | 1,218 | 901 | 100k+ | Exception output is not escaped | ||
| #17 | Go Fetch Jobs (for WP Job Manager) | 19 | 1,410 | 1,741 | 700 | Non-prefixed global variable | ||
| #18 | AI Infographic Maker | 19 | 1,517 | 599 | 600 | Output is not escaped | ||
| #19 | Matomo Analytics – Powerful, Privacy-First Insights for WordPress | 19 | 1,909 | 878 | 100k+ | Exception output is not escaped | ||
| #20 | Netgsm | 19 | 338 | 298 | 1k+ | Setting is missing a sanitization callback | ||
| #21 | Razorpay Payment Button Plugin | 19 | 486 | 98 | 2k+ | Exception output is not escaped | ||
| #22 | Realtyna Organic IDX plugin + WPL Real Estate | 19 | 947 | 3,653 | 2k+ | Non-prefixed global variable | ||
| #23 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 541 | 385 | 3m+ | Missing Translators Comment | ||
| #24 | Membership Plugin – Kadence Memberships | 19 | 5,082 | 2,982 | 9k+ | Text Domain Mismatch | ||
| #25 | Scrollsequence – Cinematic Scroll Image Animation Plugin | 19 | 878 | 1,528 | 4k+ | Non-prefixed global variable | ||
| #26 | SendPress Newsletters | 19 | 2,293 | 1,422 | 2k+ | Output is not escaped | ||
| #27 | SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments | 19 | 526 | 1,119 | 90k+ | Non-prefixed global variable | ||
| #28 | WordLift – AI powered SEO – Schema | 19 | 393 | 955 | 400 | Non-prefixed hook name | ||
| #29 | WP Email Template | 19 | 342 | 350 | 2k+ | Exception output is not escaped | ||
| #30 | WP Import Export Lite | 19 | 737 | 979 | 40k+ | Non-prefixed global variable | ||
| #31 | WPOSS阿里云对象存储 | 19 | 269 | 315 | 1k+ | Non-prefixed namespace | ||
| #32 | WPQiNiu七牛云对象存储 | 19 | 138 | 612 | 400 | Non-prefixed global variable | ||
| #33 | AweBooking – Hotel Booking System | 20 | 309 | 514 | 1k+ | Non-prefixed global variable | ||
| #34 | Brizy – Page Builder | 20 | 589 | 720 | 70k+ | Output is not escaped | ||
| #35 | Broadstreet | 20 | 434 | 273 | 700 | Output is not escaped | ||
| #36 | Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) | 20 | 736 | 2,112 | 900 | Non-prefixed global variable | ||
| #37 | Event Espresso – Event Registration & Ticketing Sales | 20 | 12,698 | 2,135 | 600 | Text Domain Mismatch | ||
| #38 | Event Organiser | 20 | 1,104 | 544 | 20k+ | Text Domain Mismatch | ||
| #39 | GiveWP – Donation Plugin and Fundraising Platform | 20 | 3,437 | 3,577 | 100k+ | Output is not escaped | ||
| #40 | Leaky Paywall | 20 | 320 | 776 | 700 | Nonce verification recommended | ||
| #41 | MBE eShip | 20 | 527 | 740 | 1k+ | Non-prefixed global variable | ||
| #42 | MAS Videos | 20 | 519 | 1,693 | 1k+ | Non-prefixed global variable | ||
| #43 | Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | 20 | 1,292 | 2,683 | 9k+ | Output is not escaped | ||
| #44 | Microthemer Lite – Visual Editor to Customize CSS | 20 | 1,004 | 1,699 | 10k+ | Non-prefixed global variable | ||
| #45 | Nimble Page Builder | 20 | 1,591 | 1,684 | 30k+ | Missing Arg Domain | ||
| #46 | PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) | 20 | 440 | 750 | 400 | Missing direct file access protection | ||
| #47 | Pix por Piggly (para Woocommerce) | 20 | 547 | 195 | 4k+ | Exception output is not escaped | ||
| #48 | Powered Cache – Caching and Optimization for WordPress – Easily Improve PageSpeed & Web Vitals Score | 20 | 147 | 231 | 3k+ | Exception output is not escaped | ||
| #49 | Quill Forms | Conversational Multi Step Forms, Surveys & quizzes | 20 | 401 | 368 | 3k+ | Text Domain Mismatch | ||
| #50 | Razorpay Payment Button Elementor Plugin | 20 | 479 | 62 | 1k+ | Exception output is not escaped |
