WordPress.Security.EscapeOutput.ExceptionNotEscaped
Exception output is not escaped
An exception message or related exception value is printed without escaping.
Why It Shows Up
The scan found exception data being displayed directly in HTML output.
Why It Matters
Exception messages can include file paths, request values, remote API responses, or database details. Printing them raw can expose information or create XSS risk.
How to Fix
- Use `esc_html()` or another context-appropriate escaping function before displaying exception text.
- Show a generic user-facing message and log the detailed exception for administrators or developers.
- Do not print stack traces, paths, or raw remote responses on public pages.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1051 | Ajax add to cart for WooCommerce | 66 | 67 | 31 | 10k+ | Text Domain Mismatch | |
| #1052 | WordPress.com Editing Toolkit | 67 | 52 | 90 | 1k+ | Missing direct file access protection | |
| #1053 | wp-Typography | 67 | 91 | 33 | 20k+ | Missing direct file access protection | |
| #1054 | Solid Mail – SMTP email and logging made by SolidWP | 68 | 16 | 17 | 60k+ | Database parameter is not escaped | |
| #1055 | WP Wand – Unlimited Content Generation using AI – for OpenAI, Claude, Openrouter and Deepseek | 69 | 452 | 25 | 1k+ | Text Domain Mismatch | |
| #1056 | In-feed ads for Google AdSense | 70 | 20 | 20 | 7k+ | Non-prefixed global variable | |
| #1057 | WPGraphQL Smart Cache | 70 | 88 | 9 | 7k+ | Text Domain Mismatch | |
| #1058 | WindPress – Tailwind CSS integration for WordPress | 71 | 16 | 106 | 3k+ | Non-prefixed hook name | |
| #1059 | Direct Checkout for WooCommerce | 71 | 78 | 35 | 80k+ | Text Domain Mismatch | |
| #1060 | SmartSMTP | 72 | 7 | 37 | 2k+ | Nonce verification recommended | |
| #1061 | Export Media Library | 73 | 5 | 5 | 30k+ | Output is not escaped | |
| #1062 | Comment Edit Core – Simple Comment Editing | 73 | 27 | 85 | 2k+ | Non-prefixed hook name | |
| #1063 | Change Storefront Footer Copyright Text | 73 | 72 | 21 | 4k+ | Text Domain Mismatch | |
| #1064 | Conditional Logic Emails, Fields, Redirect for Elementor Forms | 75 | 312 | 31 | 2k+ | wp function not compatible with requires wp | |
| #1065 | Starter Templates & Sites Pack by ThemeGrill | 75 | 21 | 50 | 70k+ | Non-prefixed hook name | |
| #1066 | AI Provider for OpenAI | 76 | 15 | 1 | 20k+ | Exception output is not escaped | |
| #1067 | Autocomplete WooCommerce Orders | 76 | 70 | 55 | 30k+ | Text Domain Mismatch | |
| #1068 | Bit Flows: AI Agent Automation & Integrations for Forms, CRM, eCommerce, Google Sheets, and More | 77 | 18 | 20 | 2k+ | wp function not compatible with requires wp | |
| #1069 | Lead Generation Contact Widget & AI Chatbot: Chat Button, Phone Call, Telegram, Email – SiteLeads | 77 | 17 | 1 | 10k+ | Exception output is not escaped | |
| #1070 | AI Provider for Anthropic | 78 | 13 | 1 | 20k+ | Exception output is not escaped | |
| #1071 | Web3 Crypto Payments by DePay for WooCommerce | 78 | 6 | 101 | 1k+ | Direct Query | |
| #1072 | Remove noreferrer | 79 | 17 | 14 | 5k+ | Missing Arg Domain | |
| #1073 | Fluent PDF Generator | 80 | 102 | 6 | 20k+ | Text Domain Mismatch | |
| #1074 | Parallax Image | 80 | 6 | 1 | 2k+ | Missing direct file access protection | |
| #1075 | SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers | 80 | 45 | 65 | 200k+ | Non-prefixed hook name | |
| #1076 | Wincher Rank Tracker | 80 | 8 | 6 | 3k+ | Output is not escaped | |
| #1077 | Metricool – Social media and site statistics | 82 | 9 | 4 | 80k+ | Exception output is not escaped | |
| #1078 | Upload SVG | 84 | 3 | 8 | 1k+ | Non-prefixed global variable | |
| #1079 | FormGent – Next-Gen AI Form Builder for WordPress with Multi-Step, Quizzes, Payments & More | 85 | 11 | 315 | 1k+ | Non-prefixed global variable | |
| #1080 | AntiSpam for Contact Form 7 | 86 | 14 | 8 | 10k+ | Text Domain Mismatch | |
| #1081 | ACF Dropzone | 88 | 4 | 3 | 1k+ | Exception output is not escaped | |
| #1082 | Font Awesome | 89 | 21 | 3 | 400k+ | Missing direct file access protection | |
| #1083 | Fr Multi Bank Transfer Payment Gateways for WooCommerce | 89 | 28 | 2 | 2k+ | Text Domain Mismatch | |
| #1084 | AI Powered Marketing | 89 | 8 | 8 | 50k+ | Offloaded Content | |
| #1085 | Mobile Detect | 90 | 4 | 1 | 3k+ | Exception output is not escaped | |
| #1086 | reBusted! | 91 | 7 | 3 | 6k+ | Missing direct file access protection | |
| #1087 | Widgets for Social Photo Feed | 91 | 1 | 147 | 10k+ | Non-prefixed global variable | |
| #1088 | WP Mobile Detect | 91 | 4 | 6 | 5k+ | trademarked term | |
| #1089 | WP Session Manager | 91 | 5 | 16 | 2k+ | Direct Query | |
| #1090 | WP Mautic | 92 | 3 | 5 | 6k+ | trademarked term |
