WordPress.Security.EscapeOutput.ExceptionNotEscaped
Exception output is not escaped
An exception message or related exception value is printed without escaping.
Why It Shows Up
The scan found exception data being displayed directly in HTML output.
Why It Matters
Exception messages can include file paths, request values, remote API responses, or database details. Printing them raw can expose information or create XSS risk.
How to Fix
- Use `esc_html()` or another context-appropriate escaping function before displaying exception text.
- Show a generic user-facing message and log the detailed exception for administrators or developers.
- Do not print stack traces, paths, or raw remote responses on public pages.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #601 | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin | 27 | 122 | 135 | 3k+ | Non-prefixed global variable | |
| #602 | Foxtool All-in-One: Contact chat button, Custom login, Media optimize images | 27 | 1,629 | 360 | 7k+ | Unsafe printing function | |
| #603 | Login for Google Apps | 27 | 139 | 85 | 10k+ | Exception output is not escaped | |
| #604 | Hester Core | 27 | 253 | 103 | 10k+ | Output is not escaped | |
| #605 | HM Multiple Roles | 27 | 537 | 1,287 | 1k+ | Non-prefixed global variable | |
| #606 | Import Eventbrite Events | 27 | 156 | 575 | 3k+ | Non-prefixed global variable | |
| #607 | MW WP Form | 27 | 334 | 219 | 200k+ | Output is not escaped | |
| #608 | Nextend Social Login and Register | 27 | 1,668 | 243 | 200k+ | Output is not escaped | |
| #609 | Packlink PRO for WooCommerce | 27 | 130 | 154 | 20k+ | Non-prefixed global variable | |
| #610 | Autopay | 27 | 746 | 370 | 3k+ | Text Domain Mismatch | |
| #611 | Hubbub Lite – Fast, free social sharing and follow buttons | 27 | 337 | 172 | 30k+ | Text Domain Mismatch | |
| #612 | StoreGrowth: Smart Sales Booster for WooCommerce | BOGO, Upsells, Direct Checkout, Quick View, Side Cart | 27 | 89 | 377 | 2k+ | Non-prefixed global variable | |
| #613 | Transbank Webpay | 27 | 198 | 211 | 10k+ | Non-prefixed global variable | |
| #614 | WP Events Manager | 27 | 294 | 415 | 30k+ | Output is not escaped | |
| #615 | WP Job Manager | 27 | 92 | 578 | 80k+ | Non-prefixed hook name | |
| #616 | WP Activity Log | 27 | 96 | 230 | 300k+ | Nonce verification recommended | |
| #617 | WP Chat App | 27 | 120 | 274 | 100k+ | Alternative PHP tag found | |
| #618 | WPBase Cache | 27 | 189 | 113 | 2k+ | Text Domain Mismatch | |
| #619 | Ultimate Addons for SiteOrigin | 28 | 525 | 189 | 7k+ | Text Domain Mismatch | |
| #620 | AForms — Form Builder for Price Calculator & Cost Estimation | 28 | 564 | 95 | 3k+ | Text Domain Mismatch | |
| #621 | AJAX Login and Registration modal popup + inline form | 28 | 157 | 261 | 3k+ | Output is not escaped | |
| #622 | BNE Testimonials | 28 | 522 | 102 | 1k+ | Output is not escaped | |
| #623 | Maspik – Ultimate Spam Protection | 28 | 212 | 862 | 30k+ | Missing nonce verification | |
| #624 | easy.jobs – AI powered Job Listing, Job Board, Career Page, Recruitment & Hiring Solution | 28 | 405 | 810 | 5k+ | Missing nonce verification | |
| #625 | Embedder for Google Reviews | 28 | 526 | 1,319 | 6k+ | Non-prefixed global variable | |
| #626 | گیتلند | درگاه پرداخت هوشمند گیتلند | 28 | 327 | 235 | 2k+ | Output is not escaped | |
| #627 | Kadence Starter Templates — Predesigned Website Templates | 28 | 312 | 215 | 300k+ | Missing Arg Domain | |
| #628 | Laposta Signup Basic | 28 | 275 | 66 | 2k+ | Output is not escaped | |
| #629 | Maven Algolia | 28 | 148 | 89 | 6k+ | Non Singular String Literal Domain | |
| #630 | Notification – Custom Notifications and Alerts for WordPress | 28 | 186 | 219 | 10k+ | Non-prefixed global variable | |
| #631 | Store Hours for WooCommerce | 28 | 525 | 60 | 2k+ | Output is not escaped | |
| #632 | Perfect Brands for WooCommerce | 28 | 112 | 143 | 40k+ | Non-prefixed constant | |
| #633 | Podcast Importer SecondLine | 28 | 356 | 169 | 4k+ | Text Domain Mismatch | |
| #634 | Redis Object Cache | 28 | 151 | 103 | 400k+ | Exception output is not escaped | |
| #635 | Brilliant Web-to-Lead for Salesforce | 28 | 247 | 244 | 2k+ | Text Domain Mismatch | |
| #636 | Transliterator – Multilingual and Multi-script Text Conversion | 28 | 305 | 320 | 3k+ | Output is not escaped | |
| #637 | Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor | 28 | 291 | 292 | 20k+ | Output is not escaped | |
| #638 | Ultimate FAQ Accordion Plugin | 28 | 386 | 227 | 30k+ | Unsafe printing function | |
| #639 | Dynamic Product Gallery for WooCommerce | 28 | 414 | 303 | 1k+ | Output is not escaped | |
| #640 | Product Sort and Display for WooCommerce | 28 | 199 | 235 | 2k+ | Output is not escaped | |
| #641 | Connect Matomo – Analytics Dashboard for WordPress | 28 | 100 | 102 | 60k+ | Missing Translators Comment | |
| #642 | WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce | 28 | 173 | 226 | 5k+ | Output is not escaped | |
| #643 | WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) | 28 | 209 | 217 | 10k+ | Exception output is not escaped | |
| #644 | WPS Bidouille | 28 | 472 | 215 | 10k+ | Output is not escaped | |
| #645 | WP Synchro – The Ultimate WordPress Migration Tool | 28 | 243 | 244 | 2k+ | Missing Translators Comment | |
| #646 | YITH WooCommerce Product Bundles | 28 | 404 | 1,480 | 3k+ | Non-prefixed global variable | |
| #647 | Attribute Stock for WooCommerce – Shared Stock & Variable Quantities (Lite Version) | 29 | 481 | 313 | 2k+ | Text Domain Mismatch | |
| #648 | Bitcoin Payments – Blockonomics | 29 | 208 | 227 | 3k+ | Output is not escaped | |
| #649 | Plugin BlueX for WooCommerce | 29 | 431 | 216 | 2k+ | Text Domain Mismatch | |
| #650 | Chained Quiz | 29 | 1,132 | 721 | 1k+ | Text Domain Mismatch |
