WordPress.Security.EscapeOutput.ExceptionNotEscaped
Exception output is not escaped
An exception message or related exception value is printed without escaping.
Why It Shows Up
The scan found exception data being displayed directly in HTML output.
Why It Matters
Exception messages can include file paths, request values, remote API responses, or database details. Printing them raw can expose information or create XSS risk.
How to Fix
- Use `esc_html()` or another context-appropriate escaping function before displaying exception text.
- Show a generic user-facing message and log the detailed exception for administrators or developers.
- Do not print stack traces, paths, or raw remote responses on public pages.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #51 | Remove Add to Cart WooCommerce | 20 | 616 | 1,378 | 4k+ | Non-prefixed global variable | ||
| #52 | Robin Image Optimizer – Unlimited Image Optimization, WebP & AVIF | 20 | 557 | 541 | 100k+ | Output is not escaped | ||
| #53 | SpeakOut! Email Petitions | 20 | 850 | 994 | 3k+ | Missing nonce verification | ||
| #54 | Events Manager – OpenStreetMaps | 20 | 559 | 444 | 700 | Output is not escaped | ||
| #55 | Razorpay for WooCommerce | 20 | 974 | 855 | 100k+ | Non-prefixed function | ||
| #56 | WP Minify Fix | 20 | 306 | 380 | 800 | Output is not escaped | ||
| #57 | Premium Packages – Sell Digital Products Securely | 20 | 2,027 | 2,234 | 3k+ | Non-prefixed global variable | ||
| #58 | WPJAM Basic | 20 | 328 | 356 | 4k+ | Output is not escaped | ||
| #59 | Backup Migration | 21 | 981 | 1,093 | 80k+ | Non-prefixed global variable | ||
| #60 | Pinpoint Booking System – Version 2 | 21 | 634 | 328 | 3k+ | Missing direct file access protection | ||
| #61 | rtMedia for WordPress, BuddyPress and bbPress | 21 | 363 | 633 | 8k+ | Non-prefixed constant | ||
| #62 | CallTrackingMetrics | 21 | 923 | 286 | 3k+ | Unsafe printing function | ||
| #63 | Captcha Them All | 21 | 300 | 323 | 6k+ | Output is not escaped | ||
| #64 | CartFlows – Funnel Builder & Checkout Plugin for WooCommerce | 21 | 462 | 654 | 200k+ | Text Domain Mismatch | ||
| #65 | Smart Grid-Layout Design for Contact Form 7 | 21 | 1,126 | 734 | 10k+ | Output is not escaped | ||
| #66 | SMS Extension for Contact Form 7 | 21 | 720 | 1,387 | 400 | Non-prefixed global variable | ||
| #67 | Comet Cache | 21 | 857 | 245 | 20k+ | Output is not escaped | ||
| #68 | Daily Prayer Time | 21 | 947 | 1,780 | 1k+ | Non-prefixed global variable | ||
| #69 | DELUCKS SEO | 21 | 362 | 1,171 | 400 | Missing nonce verification | ||
| #70 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | Output is not escaped | ||
| #71 | Ebook Store | 21 | 666 | 1,087 | 700 | Non-prefixed global variable | ||
| #72 | Envo Extra | 21 | 878 | 600 | 20k+ | Text Domain Mismatch | ||
| #73 | EventPrime – Events Calendar, Bookings and Tickets | 21 | 872 | 4,301 | 7k+ | Non-prefixed global variable | ||
| #74 | FileOrganizer – WordPress File Manager | 21 | 536 | 241 | 200k+ | unlink unlink | ||
| #75 | Campaign Monitor for WordPress | 21 | 386 | 461 | 2k+ | Non-prefixed global variable | ||
| #76 | Front End Users | 21 | 719 | 2,759 | 400 | Non-prefixed global variable | ||
| #77 | If-So Dynamic Content – Elementor & All Page Builders Personalization | 21 | 889 | 725 | 7k+ | Unsafe printing function | ||
| #78 | Imagify: Optimize Images for Top Speed (Compress & Convert to WebP/AVIF) | 21 | 420 | 861 | 1m+ | Non-prefixed global variable | ||
| #79 | LA-Studio Element Kit for Elementor | 21 | 8,390 | 1,964 | 10k+ | Text Domain Mismatch | ||
| #80 | MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder | 21 | 1,133 | 3,011 | 2k+ | Non-prefixed global variable | ||
| #81 | Mapster WP Maps | 21 | 3,440 | 2,903 | 3k+ | Text Domain Mismatch | ||
| #82 | Mergado Pack | 21 | 2,323 | 588 | 700 | Output is not escaped | ||
| #83 | Modular DS: Monitor, update, and backup multiple websites | 21 | 159 | 81 | 40k+ | Exception output is not escaped | ||
| #84 | Mooberry Book Manager | 21 | 1,040 | 399 | 1k+ | Text Domain Mismatch | ||
| #85 | MotoPress Hotel Booking | 21 | 3,061 | 1,037 | 10k+ | Text Domain Mismatch | ||
| #86 | Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred | 21 | 1,469 | 3,333 | 10k+ | Non-prefixed global variable | ||
| #87 | OneLogin SAML SSO | 21 | 507 | 330 | 7k+ | wp function not compatible with requires wp | ||
| #88 | Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages | 21 | 1,173 | 2,983 | 9k+ | Non-prefixed global variable | ||
| #89 | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction | 21 | 1,918 | 5,065 | 10k+ | Non-prefixed hook name | ||
| #90 | User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor | 21 | 696 | 1,483 | 50k+ | Nonce verification recommended | ||
| #91 | PublishPress Planner – Editorial Calendar, Marketing Content, Kanban Board | 21 | 603 | 890 | 6k+ | Output is not escaped | ||
| #92 | Razorpay for Gravity Forms | 21 | 411 | 47 | 600 | Exception output is not escaped | ||
| #93 | Razorpay Quick Payments | 21 | 399 | 63 | 3k+ | Exception output is not escaped | ||
| #94 | Five Star Restaurant Reservations – WordPress Booking Plugin | 21 | 1,099 | 1,147 | 10k+ | Output is not escaped | ||
| #95 | Rocket Maintenance Mode & Coming Soon Page | 21 | 1,176 | 1,406 | 4k+ | Non-prefixed global variable | ||
| #96 | Royal Addons for Elementor – Addons and Templates Kit for Elementor | 21 | 13,011 | 2,530 | 600k+ | Text Domain Mismatch | ||
| #97 | Seamless Donations is Sunset | 21 | 600 | 514 | 2k+ | Text Domain Mismatch | ||
| #98 | SeatReg | 21 | 312 | 1,637 | 400 | Missing nonce verification | ||
| #99 | Smart Forms – when you need more than just a contact form | 21 | 776 | 574 | 5k+ | Output is not escaped | ||
| #100 | Accept Stripe Payments | 21 | 373 | 882 | 20k+ | Missing nonce verification |