WordPress.Security.EscapeOutput.ExceptionNotEscaped
Exception output is not escaped
An exception message or related exception value is printed without escaping.
Why It Shows Up
The scan found exception data being displayed directly in HTML output.
Why It Matters
Exception messages can include file paths, request values, remote API responses, or database details. Printing them raw can expose information or create XSS risk.
How to Fix
- Use `esc_html()` or another context-appropriate escaping function before displaying exception text.
- Show a generic user-facing message and log the detailed exception for administrators or developers.
- Do not print stack traces, paths, or raw remote responses on public pages.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1301 | Clever Mega Menu for Visual Composer | 38 | 500 | 87 | 1k+ | Output is not escaped | ||
| #1302 | Clever Mega Menu for Elementor | 38 | 835 | 44 | 1k+ | Output is not escaped | ||
| #1303 | Crop-Thumbnails | 38 | 33 | 27 | 40k+ | Missing direct file access protection | ||
| #1304 | Customize Posts | 38 | 31 | 77 | 1k+ | Non-prefixed hook name | ||
| #1305 | Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster | 38 | 37 | 98 | 5k+ | Interpolated SQL is not prepared | ||
| #1306 | Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds | 38 | 167 | 82 | 40k+ | Output is not escaped | ||
| #1307 | Front-end Editor | 38 | 78 | 62 | 500 | Output is not escaped | ||
| #1308 | Goal Tracker – Custom Event Tracking for GA4 | 38 | 541 | 25 | 2k+ | Output is not escaped | ||
| #1309 | GoDaddy Payments for WooCommerce | 38 | 58 | 65 | 2k+ | Output is not escaped | ||
| #1310 | imoje | 38 | 62 | 160 | 2k+ | Nonce verification recommended | ||
| #1311 | Coding Chicken – JetEngine Importer | 38 | 55 | 29 | 400 | Missing direct file access protection | ||
| #1312 | LuckyWP Scripts Control | 38 | 186 | 23 | 3k+ | Output is not escaped | ||
| #1313 | Migrate Store: Export and Import WooCommerce Settings | 38 | 37 | 33 | 1k+ | Non-prefixed global variable | ||
| #1314 | Polaroid Gallery | 38 | 105 | 20 | 1k+ | Unsafe printing function | ||
| #1315 | qTranslate META | 38 | 88 | 26 | 400 | Output is not escaped | ||
| #1316 | SCSS WP Editor | 38 | 111 | 40 | 900 | Exception output is not escaped | ||
| #1317 | Simple JWT Login – Allows you to use JWT on REST endpoints. | 38 | 712 | 95 | 4k+ | Output is not escaped | ||
| #1318 | Simple LDAP Login | 38 | 65 | 33 | 1k+ | Output is not escaped | ||
| #1319 | SimpleShop | 38 | 52 | 51 | 1k+ | date date | ||
| #1320 | Templatiq | 38 | 31 | 94 | 900 | Non-prefixed hook name | ||
| #1321 | Twiget Twitter Widget | 38 | 147 | 36 | 500 | Output is not escaped | ||
| #1322 | VidShop – Shoppable Videos for WooCommerce | 38 | 54 | 153 | 1k+ | Database parameter is not escaped | ||
| #1323 | Visual Admin Customizer | 38 | 20 | 51 | 500 | Input is not sanitized | ||
| #1324 | Shipping Packages for WooCommerce – Dropship from multiple locations like AliExpress, eBay, Amazon, Etsy | 38 | 94 | 26 | 900 | Non Singular String Literal Domain | ||
| #1325 | Products Coming Soon for WooCommerce | 38 | 151 | 62 | 700 | Output is not escaped | ||
| #1326 | Wholesale for WooCommerce | 38 | 541 | 22 | 1k+ | Output is not escaped | ||
| #1327 | Connect WooCommerce Shop to ERP/CRM, Verifactu and EU/VAT Compliance | 38 | 23 | 104 | 1k+ | Direct Query | ||
| #1328 | mb.YTPlayer for background videos | 38 | 80 | 29 | 1k+ | Unsafe printing function | ||
| #1329 | Andreani WooCommerce | 39 | 21 | 86 | 800 | Non-prefixed global variable | ||
| #1330 | Animate It! | 39 | 137 | 16 | 20k+ | Text Domain Mismatch | ||
| #1331 | Australia Post WooCommerce Extension | 39 | 99 | 12 | 3k+ | Text Domain Mismatch | ||
| #1332 | BugSnag Error Monitoring plugin | 39 | 52 | 96 | 2k+ | wp function not compatible with requires wp | ||
| #1333 | Innozilla Skins for Contact Form 7 | 39 | 152 | 22 | 2k+ | Output is not escaped | ||
| #1334 | Constant Contact + WooCommerce | 39 | 27 | 91 | 1k+ | Nonce verification recommended | ||
| #1335 | Da Reactions | 39 | 15 | 140 | 400 | Request data is not unslashed | ||
| #1336 | Email Marketing by EmailOctopus | 39 | 43 | 62 | 3k+ | Non-prefixed global variable | ||
| #1337 | Events Manager – Zoom Integration | 39 | 141 | 43 | 700 | Output is not escaped | ||
| #1338 | GF Mollie by Indigo | 39 | 82 | 33 | 900 | Exception output is not escaped | ||
| #1339 | GoSMTP – SMTP for WordPress | 39 | 59 | 42 | 500k+ | Output is not escaped | ||
| #1340 | Insert Amz Images | 39 | 79 | 44 | 1k+ | Output is not escaped | ||
| #1341 | Leaflet Map | 39 | 59 | 32 | 30k+ | Output is not escaped | ||
| #1342 | linkPizza-Manager | 39 | 46 | 23 | 700 | Exception output is not escaped | ||
| #1343 | LuckyWP Table of Contents | 39 | 438 | 62 | 100k+ | Output is not escaped | ||
| #1344 | MailChimp Add-On for FormCraft | 39 | 56 | 29 | 800 | curl curl setopt | ||
| #1345 | Pay by paynow.pl | 39 | 51 | 56 | 6k+ | Output is not escaped | ||
| #1346 | payever – WooCommerce Gateway | 39 | 263 | 131 | 700 | Text Domain Mismatch | ||
| #1347 | Paystack Add-On for Gravity Forms | 39 | 96 | 31 | 400 | Text Domain Mismatch | ||
| #1348 | PO/MO Editor | 39 | 106 | 45 | 1k+ | Unsafe printing function | ||
| #1349 | Query Multiple Taxonomies | 39 | 55 | 41 | 500 | Output is not escaped | ||
| #1350 | Quform Mailchimp | 39 | 65 | 147 | 800 | Nonce verification recommended |