WordPress.Security.EscapeOutput.ExceptionNotEscaped
Exception output is not escaped
An exception message or related exception value is printed without escaping.
Why It Shows Up
The scan found exception data being displayed directly in HTML output.
Why It Matters
Exception messages can include file paths, request values, remote API responses, or database details. Printing them raw can expose information or create XSS risk.
How to Fix
- Use `esc_html()` or another context-appropriate escaping function before displaying exception text.
- Show a generic user-facing message and log the detailed exception for administrators or developers.
- Do not print stack traces, paths, or raw remote responses on public pages.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1201 | WP PGP Encrypted Emails | 35 | 63 | 39 | 400 | Output is not escaped | ||
| #1202 | WP Post Series | 35 | 10 | 9 | 600 | Non-prefixed global variable | ||
| #1203 | WPFront User Role Editor | 35 | 333 | 578 | 30k+ | Output is not escaped | ||
| #1204 | XServer Migrator | 35 | 39 | 53 | 10k+ | Interpolated SQL is not prepared | ||
| #1205 | Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts | 35 | 48 | 114 | 5k+ | Non-prefixed hook name | ||
| #1206 | Year Make Model Search for WooCommerce | 35 | 188 | 162 | 1k+ | Output is not escaped | ||
| #1207 | Age Verification for your checkout page. Verify your customer's identity | 36 | 155 | 238 | 500 | Output is not escaped | ||
| #1208 | authLdap | 36 | 47 | 30 | 5k+ | Exception output is not escaped | ||
| #1209 | bpost shipping | 36 | 97 | 43 | 700 | Output is not escaped | ||
| #1210 | Cashflows for WooCommerce | 36 | 118 | 36 | 600 | Text Domain Mismatch | ||
| #1211 | CMB2 | 36 | 148 | 19 | 300k+ | Output is not escaped | ||
| #1212 | ColorMeShop WordPress Plugin | 36 | 392 | 37 | 600 | Exception output is not escaped | ||
| #1213 | Constant Contact Forms | 36 | 39 | 89 | 20k+ | Missing nonce verification | ||
| #1214 | Depicter — Popup & Slider Builder | 36 | 130 | 121 | 80k+ | Exception output is not escaped | ||
| #1215 | Doneren met Mollie | 36 | 420 | 351 | 4k+ | SQL query is not prepared | ||
| #1216 | Duitku Payment Gateway | 36 | 507 | 107 | 700 | Text Domain Mismatch | ||
| #1217 | Duplicate Post – duplicate pages, copy content, clone posts | 36 | 71 | 81 | 5k+ | wp function not compatible with requires wp | ||
| #1218 | Dynamic Copyright Year | 36 | 972 | 43 | 800 | Output is not escaped | ||
| #1219 | Dynamic Front-End Heartbeat Control | 36 | 217 | 111 | 1k+ | Text Domain Mismatch | ||
| #1220 | Enormail Sign Up Forms | 36 | 133 | 126 | 400 | Output is not escaped | ||
| #1221 | FreePay for WooCommerce | 36 | 114 | 102 | 400 | Output is not escaped | ||
| #1222 | Insert Headers and Footers Code – HT Script | 36 | 391 | 34 | 7k+ | Text Domain Mismatch | ||
| #1223 | Jetpack VideoPress | 36 | 618 | 224 | 7k+ | Text Domain Mismatch | ||
| #1224 | Just TinyMCE Custom Styles | 36 | 112 | 28 | 1k+ | Missing Arg Domain | ||
| #1225 | Legal Text Connector of the IT-Recht Kanzlei | 36 | 45 | 46 | 10k+ | Exception output is not escaped | ||
| #1226 | M Chart | 36 | 29 | 155 | 3k+ | Non-prefixed global variable | ||
| #1227 | Materialis Companion | 36 | 129 | 67 | 6k+ | Unsafe printing function | ||
| #1228 | PDF Forms Filler for CF7 | 36 | 185 | 79 | 3k+ | Text Domain Mismatch | ||
| #1229 | PDF Forms Filler for WPForms | 36 | 161 | 54 | 600 | Text Domain Mismatch | ||
| #1230 | افزونه رسمی ترب | 36 | 42 | 86 | 20k+ | Exception output is not escaped | ||
| #1231 | Qubely – Advanced Gutenberg Blocks | 36 | 39 | 78 | 8k+ | Request data is not unslashed | ||
| #1232 | Responsive Testimonials | 36 | 252 | 32 | 400 | Text Domain Mismatch | ||
| #1233 | Stripe Tax – Sales tax automation for WooCommerce | 36 | 97 | 61 | 30k+ | Exception output is not escaped | ||
| #1234 | SureContact – Newsletters, Email Marketing, Automation, Revenue Tracking & CRM | 36 | 314 | 132 | 4k+ | Text Domain Mismatch | ||
| #1235 | FOMO & Social Proof Notifications by TrustPulse – Best WordPress FOMO Plugin | 36 | 104 | 39 | 10k+ | Output is not escaped | ||
| #1236 | Video Thumbnails Reloaded | 36 | 343 | 58 | 2k+ | Text Domain Mismatch | ||
| #1237 | Payments via PayMongo for WooCommerce | 36 | 39 | 81 | 1k+ | Nonce verification recommended | ||
| #1238 | Guaranteed Reviews Company (Société des Avis Garantis) | 36 | 369 | 197 | 1k+ | Output is not escaped | ||
| #1239 | Rabo Smart Pay for WooCommerce | 36 | 144 | 55 | 600 | Text Domain Mismatch | ||
| #1240 | Extended Coupon Features for WooCommerce FREE | 36 | 219 | 63 | 10k+ | Text Domain Mismatch | ||
| #1241 | Eway Payments for Woo | 36 | 525 | 40 | 3k+ | Text Domain Mismatch | ||
| #1242 | WP Publication Archive | 36 | 197 | 64 | 400 | Text Domain Mismatch | ||
| #1243 | WP fail2ban Blocklist | 36 | 61 | 63 | 3k+ | SQL query is not prepared | ||
| #1244 | Zarinpal Gateway | 36 | 151 | 55 | 50k+ | Non Singular String Literal Domain | ||
| #1245 | Zeno – AI-Powered Chatbot | 36 | 311 | 131 | 500 | Text Domain Mismatch | ||
| #1246 | Adapta RGPD | 37 | 349 | 72 | 40k+ | Text Domain Mismatch | ||
| #1247 | Advanced Media Offloader | 37 | 59 | 93 | 5k+ | error log error log | ||
| #1248 | Antom Payments | 37 | 60 | 68 | 800 | badly named files | ||
| #1249 | Avatar Privacy | 37 | 82 | 36 | 1k+ | Missing direct file access protection | ||
| #1250 | Blimply | 37 | 172 | 43 | 700 | Text Domain Mismatch |
