WordPress.Security.EscapeOutput.ExceptionNotEscaped
Exception output is not escaped
An exception message or related exception value is printed without escaping.
Why It Shows Up
The scan found exception data being displayed directly in HTML output.
Why It Matters
Exception messages can include file paths, request values, remote API responses, or database details. Printing them raw can expose information or create XSS risk.
How to Fix
- Use `esc_html()` or another context-appropriate escaping function before displaying exception text.
- Show a generic user-facing message and log the detailed exception for administrators or developers.
- Do not print stack traces, paths, or raw remote responses on public pages.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1001 | CLP Varnish Cache | 46 | 15 | 58 | 10k+ | Non-prefixed global variable | ||
| #1002 | Cashfree for WooCommerce | 47 | 21 | 21 | 8k+ | Nonce verification recommended | ||
| #1003 | QuadLayers TikTok Feed | 47 | 78 | 52 | 7k+ | Text Domain Mismatch | ||
| #1004 | AnWP Post Grid and Post Carousel Slider for Elementor | 48 | 758 | 171 | 20k+ | Text Domain Mismatch | ||
| #1005 | Instamojo for WooCommerce | 48 | 72 | 44 | 5k+ | Text Domain Mismatch | ||
| #1006 | ACF Quick Edit Fields | 49 | 20 | 72 | 30k+ | Nonce verification recommended | ||
| #1007 | Jetpack Social | 49 | 812 | 239 | 30k+ | Text Domain Mismatch | ||
| #1008 | Custom Block Builder – Lazy Blocks | 50 | 23 | 51 | 20k+ | Non-prefixed hook name | ||
| #1009 | WP SVG Images | 50 | 58 | 12 | 30k+ | Text Domain Mismatch | ||
| #1010 | SePay Gateway | 51 | 12 | 39 | 2k+ | Nonce verification recommended | ||
| #1011 | The Paste | 51 | 19 | 11 | 10k+ | Unsafe printing function | ||
| #1012 | GSheetConnector for Gravity Forms – Send Gravity Forms Entries to Google Sheets in Real-Time | 52 | 26 | 27 | 1k+ | Exception output is not escaped | ||
| #1013 | Automattic For Agencies Client | 53 | 249 | 184 | 20k+ | Text Domain Mismatch | ||
| #1014 | FakerPress | 53 | 66 | 152 | 10k+ | Non-prefixed global variable | ||
| #1015 | LuckyWP ACF Menu Field | 53 | 46 | 9 | 5k+ | Short PHP open tag found | ||
| #1016 | Pinterest for WooCommerce | 53 | 44 | 30 | 300k+ | Exception output is not escaped | ||
| #1017 | Weight Based Shipping for WooCommerce | 53 | 48 | 41 | 60k+ | Missing direct file access protection | ||
| #1018 | WP Console – WordPress PHP Console powered by PsySH | 53 | 34 | 48 | 20k+ | Exception output is not escaped | ||
| #1019 | CSV Importer | 54 | 24 | 11 | 3k+ | Missing direct file access protection | ||
| #1020 | Cyr-To-Lat | 54 | 16 | 48 | 300k+ | Dynamic hook name | ||
| #1021 | Disqus Comment System | 54 | 17 | 33 | 40k+ | Non-prefixed hook name | ||
| #1022 | AI Agent by SiteGround | 54 | 28 | 6 | 1m+ | Exception output is not escaped | ||
| #1023 | SimplyBook.me – Booking and reservations calendar | 54 | 31 | 13 | 30k+ | Exception output is not escaped | ||
| #1024 | WP Menu Icons | 54 | 68 | 52 | 20k+ | Text Domain Mismatch | ||
| #1025 | FluentSnippets – The High-Performance file based Custom Code Snippets Plugin | 55 | 32 | 27 | 40k+ | Nonce verification recommended | ||
| #1026 | Quick Bulk Post & Page Creator | 55 | 43 | 1 | 2k+ | Text Domain Mismatch | ||
| #1027 | Themeflection Numbers – Number Counter and Animated Numbers | 55 | 224 | 73 | 3k+ | Text Domain Mismatch | ||
| #1028 | AI Copilot – ChatGPT Chatbot & AI Engine for Post Automation | 56 | 65 | 20 | 1k+ | Text Domain Mismatch | ||
| #1029 | Grids: Layout builder for WordPress | 56 | 24 | 27 | 2k+ | Missing direct file access protection | ||
| #1030 | Hide Admin Notices | 57 | 9 | 16 | 20k+ | Input is not sanitized | ||
| #1031 | Search Exclude | 57 | 73 | 40 | 50k+ | Text Domain Mismatch | ||
| #1032 | Social Chat – Click To Chat App Button | 57 | 81 | 44 | 200k+ | Text Domain Mismatch | ||
| #1033 | Debloat – Remove Unused CSS, Optimize JS | 58 | 24 | 20 | 30k+ | Nonce verification recommended | ||
| #1034 | Super Progressive Web Apps | 59 | 62 | 22 | 40k+ | wp function not compatible with requires wp | ||
| #1035 | WooReer | 59 | 44 | 4 | 1k+ | Exception output is not escaped | ||
| #1036 | Variation Swatches for WooCommerce | 59 | 11 | 64 | 300k+ | Non-prefixed global variable | ||
| #1037 | Disable Emails | 60 | 25 | 16 | 30k+ | Short PHP open tag found | ||
| #1038 | GetPaid Stripe Payments | 61 | 206 | 44 | 2k+ | Text Domain Mismatch | ||
| #1039 | RSS Feed Retriever | 61 | 23 | 8 | 7k+ | wp function not compatible with requires wp | ||
| #1040 | Satispay for WooCommerce | 62 | 19 | 12 | 7k+ | Exception output is not escaped | ||
| #1041 | MultiSafepay plugin for WooCommerce | 64 | 13 | 35 | 2k+ | Missing nonce verification | ||
| #1042 | Royal MCP – Secure AI Connector for Claude, ChatGPT & Gemini | 64 | 6 | 32 | 5k+ | Interpolated SQL is not prepared | ||
| #1043 | WP Search with Algolia | 64 | 33 | 12 | 7k+ | Missing direct file access protection | ||
| #1044 | AI Provider for Google | 65 | 32 | 1 | 20k+ | Exception output is not escaped | ||
| #1045 | USPS Simple Shipping for Woocommerce | 65 | 20 | 11 | 8k+ | Exception output is not escaped | ||
| #1046 | Ajaxify Comments – Ajax and Lazy Loading Comments | 65 | 20 | 38 | 3k+ | Non-prefixed hook name | ||
| #1047 | Easy PHP Settings | 66 | 34 | 48 | 2k+ | Missing Translators Comment | ||
| #1048 | Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor | 66 | 59 | 98 | 10k+ | Non-prefixed global variable | ||
| #1049 | Icon Widget | 66 | 14 | 9 | 4k+ | Output is not escaped | ||
| #1050 | Ajax add to cart for WooCommerce | 66 | 67 | 31 | 10k+ | Text Domain Mismatch |
