WordPress.Security.EscapeOutput.ExceptionNotEscaped
Exception output is not escaped
An exception message or related exception value is printed without escaping.
Why It Shows Up
The scan found exception data being displayed directly in HTML output.
Why It Matters
Exception messages can include file paths, request values, remote API responses, or database details. Printing them raw can expose information or create XSS risk.
How to Fix
- Use `esc_html()` or another context-appropriate escaping function before displaying exception text.
- Show a generic user-facing message and log the detailed exception for administrators or developers.
- Do not print stack traces, paths, or raw remote responses on public pages.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1151 | Ally – Web Accessibility & Usability | 41 | 47 | 35 | 500k+ | Output is not escaped | ||
| #1152 | Smooth Scroll Up | 41 | 61 | 10 | 6k+ | Output is not escaped | ||
| #1153 | Text Hover | 41 | 44 | 13 | 1k+ | Output is not escaped | ||
| #1154 | Text Replace | 41 | 55 | 12 | 3k+ | Output is not escaped | ||
| #1155 | WooCommerce Colors | 41 | 63 | 28 | 10k+ | Output is not escaped | ||
| #1156 | WP Crontrol | 41 | 20 | 91 | 300k+ | Nonce verification recommended | ||
| #1157 | WP Router | 41 | 29 | 13 | 800 | Exception output is not escaped | ||
| #1158 | Asesor de Cookies RGPD para normativa europea | 42 | 27 | 32 | 20k+ | Missing nonce verification | ||
| #1159 | Clover Payments for WooCommerce | 42 | 25 | 15 | 2k+ | Exception output is not escaped | ||
| #1160 | Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution | 42 | 111 | 17 | 20k+ | Exception output is not escaped | ||
| #1161 | FooTable | 42 | 86 | 7 | 1k+ | Output is not escaped | ||
| #1162 | hCaptcha for WP | 42 | 115 | 18 | 70k+ | Exception output is not escaped | ||
| #1163 | Hide Cart Functions | 42 | 12 | 50 | 3k+ | Nonce verification recommended | ||
| #1164 | OnPay.io for WooCommerce | 42 | 238 | 37 | 2k+ | Text Domain Mismatch | ||
| #1165 | reCAPTCHA for WooCommerce | 42 | 80 | 31 | 40k+ | Output is not escaped | ||
| #1166 | Secure Passkeys | 42 | 146 | 76 | 1k+ | Exception output is not escaped | ||
| #1167 | AMP | 43 | 63 | 362 | 400k+ | Non-prefixed hook name | ||
| #1168 | Auto Alt Text | 43 | 52 | 13 | 4k+ | Exception output is not escaped | ||
| #1169 | Checkout Field Manager (Checkout Manager) for WooCommerce | 43 | 162 | 154 | 90k+ | Non-prefixed global variable | ||
| #1170 | Buttonizer – Live Chat, AI Chatbot, Call, Chat, Contact Button | 44 | 24 | 71 | 50k+ | Non-prefixed constant | ||
| #1171 | Shippit for WooCommerce | 44 | 127 | 26 | 900 | Text Domain Mismatch | ||
| #1172 | Evergreen Countdown Timer | 45 | 193 | 35 | 2k+ | wp function not compatible with requires wp | ||
| #1173 | Jetpack Search | 45 | 925 | 426 | 5k+ | Text Domain Mismatch | ||
| #1174 | Passwords Evolved | 45 | 26 | 17 | 1k+ | Output is not escaped | ||
| #1175 | Simple Membership MailChimp Integration | 45 | 34 | 27 | 1k+ | curl curl setopt | ||
| #1176 | TriPay Payment Gateway | 45 | 478 | 44 | 1k+ | Text Domain Mismatch | ||
| #1177 | Payrexx Payment Gateway for WooCommerce | 45 | 17 | 117 | 2k+ | Non-prefixed class | ||
| #1178 | Better image sizes | 46 | 45 | 23 | 2k+ | Text Domain Mismatch | ||
| #1179 | CLP Varnish Cache | 46 | 15 | 58 | 10k+ | Non-prefixed global variable | ||
| #1180 | Cashfree for WooCommerce | 47 | 21 | 21 | 8k+ | Nonce verification recommended | ||
| #1181 | iControlWP | 47 | 45 | 59 | 1k+ | Missing direct file access protection | ||
| #1182 | QuadLayers TikTok Feed | 47 | 78 | 52 | 7k+ | Text Domain Mismatch | ||
| #1183 | AnWP Post Grid and Post Carousel Slider for Elementor | 48 | 758 | 171 | 20k+ | Text Domain Mismatch | ||
| #1184 | Jetpack Social | 48 | 829 | 254 | 30k+ | Text Domain Mismatch | ||
| #1185 | Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms | 48 | 34 | 14 | 800 | Non Singular String Literal Domain | ||
| #1186 | Instamojo for WooCommerce | 48 | 72 | 44 | 5k+ | Text Domain Mismatch | ||
| #1187 | ACF Quick Edit Fields | 49 | 20 | 72 | 30k+ | Nonce verification recommended | ||
| #1188 | Custom Block Builder – Lazy Blocks | 50 | 23 | 51 | 20k+ | Non-prefixed hook name | ||
| #1189 | WP SVG Images | 50 | 58 | 12 | 30k+ | Text Domain Mismatch | ||
| #1190 | SePay Gateway | 51 | 12 | 39 | 2k+ | Nonce verification recommended | ||
| #1191 | The Paste | 51 | 19 | 11 | 10k+ | Unsafe printing function | ||
| #1192 | GSheetConnector for Gravity Forms – Send Gravity Forms Entries to Google Sheets in Real-Time | 52 | 26 | 27 | 1k+ | Exception output is not escaped | ||
| #1193 | Automattic For Agencies Client | 53 | 249 | 184 | 20k+ | Text Domain Mismatch | ||
| #1194 | FakerPress | 53 | 66 | 152 | 10k+ | Non-prefixed global variable | ||
| #1195 | LuckyWP ACF Menu Field | 53 | 46 | 9 | 5k+ | Short PHP open tag found | ||
| #1196 | Pinterest for WooCommerce | 53 | 44 | 30 | 300k+ | Exception output is not escaped | ||
| #1197 | Weight Based Shipping for WooCommerce | 53 | 48 | 41 | 60k+ | Missing direct file access protection | ||
| #1198 | WP Console – WordPress PHP Console powered by PsySH | 53 | 34 | 48 | 20k+ | Exception output is not escaped | ||
| #1199 | CSV Importer | 54 | 24 | 11 | 3k+ | Missing direct file access protection | ||
| #1200 | Cyr-To-Lat | 54 | 16 | 48 | 300k+ | Dynamic hook name |
