WordPress.Security.EscapeOutput.ExceptionNotEscaped
Exception output is not escaped
An exception message or related exception value is printed without escaping.
Why It Shows Up
The scan found exception data being displayed directly in HTML output.
Why It Matters
Exception messages can include file paths, request values, remote API responses, or database details. Printing them raw can expose information or create XSS risk.
How to Fix
- Use `esc_html()` or another context-appropriate escaping function before displaying exception text.
- Show a generic user-facing message and log the detailed exception for administrators or developers.
- Do not print stack traces, paths, or raw remote responses on public pages.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1351 | Rollbar | 39 | 75 | 14 | 400 | Output is not escaped | ||
| #1352 | Royal Mail Shipping Calculator for WooCommerce | 39 | 61 | 31 | 1k+ | Text Domain Mismatch | ||
| #1353 | Shipping Simulator for WooCommerce | 39 | 120 | 39 | 5k+ | Text Domain Mismatch | ||
| #1354 | Smaily for WP | 39 | 52 | 36 | 600 | Output is not escaped | ||
| #1355 | Smart Archives Reloaded | 39 | 78 | 36 | 1k+ | Non Singular String Literal Domain | ||
| #1356 | Universal Google Adsense and Ads manager | 39 | 70 | 31 | 2k+ | Unsafe printing function | ||
| #1357 | Payments via PayMongo for WooCommerce | 39 | 36 | 81 | 1k+ | Nonce verification recommended | ||
| #1358 | Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types | 39 | 89 | 117 | 20k+ | Unsafe printing function | ||
| #1359 | Payment Gateway – nexi Alpha Bank for WooCommerce | 39 | 96 | 40 | 1k+ | Non Singular String Literal Domain | ||
| #1360 | PayU GPO Payment for WooCommerce | 39 | 44 | 91 | 10k+ | Output is not escaped | ||
| #1361 | Advanced Country Blocker | 40 | 23 | 77 | 2k+ | Exception output is not escaped | ||
| #1362 | Advanced Custom Fields: Font Awesome Field | 40 | 332 | 70 | 90k+ | Text Domain Mismatch | ||
| #1363 | Advanced IP Blocker | 40 | 94 | 49 | 2k+ | Exception output is not escaped | ||
| #1364 | Billingo Official for WooCommerce | 40 | 25 | 37 | 3k+ | Output is not escaped | ||
| #1365 | Custom Cart Link for WooCommerce | 40 | 24 | 16 | 700 | Unsafe printing function | ||
| #1366 | Categories Metabox Enhanced | 40 | 77 | 36 | 1k+ | Output is not escaped | ||
| #1367 | CleverReach Integration for Contact Form 7 | 40 | 103 | 43 | 700 | Text Domain Mismatch | ||
| #1368 | GetPaid > Item Inventory | 40 | 112 | 52 | 400 | Text Domain Mismatch | ||
| #1369 | Hostinger Reach – AI-Powered Email Marketing for WordPress | 40 | 9 | 45 | 1m+ | Direct Query | ||
| #1370 | WP Mobile Redirect | 40 | 44 | 20 | 400 | Text Domain Mismatch | ||
| #1371 | Monkeyman Rewrite Analyzer | 40 | 89 | 10 | 2k+ | Non Singular String Literal Domain | ||
| #1372 | Give – Paystack Gateway | 40 | 96 | 10 | 1k+ | Text Domain Mismatch | ||
| #1373 | Paystack MemberPress | 40 | 71 | 76 | 400 | Output is not escaped | ||
| #1374 | Private Google Calendars | 40 | 227 | 37 | 1k+ | Output is not escaped | ||
| #1375 | LazyLoad Plugin – Lazy Load Images, Videos, and Iframes | 40 | 31 | 17 | 100k+ | Output is not escaped | ||
| #1376 | RPB Chessboard | 40 | 86 | 98 | 1k+ | Missing direct file access protection | ||
| #1377 | ST Demo Importer | 40 | 27 | 75 | 800 | Missing nonce verification | ||
| #1378 | turboSMTP | 40 | 114 | 112 | 400 | Unsafe printing function | ||
| #1379 | Url Rewrite Analyzer | 40 | 73 | 23 | 400 | Unsafe printing function | ||
| #1380 | Visma Pay for Woocommerce | 40 | 27 | 37 | 1k+ | Output is not escaped | ||
| #1381 | Eurobank WooCommerce Payment Gateway | 40 | 66 | 43 | 2k+ | Non Singular String Literal Domain | ||
| #1382 | Additional Variation Images Gallery for WooCommerce | 40 | 60 | 129 | 20k+ | Non-prefixed global variable | ||
| #1383 | Wallet for WooCommerce | 40 | 32 | 524 | 20k+ | Non-prefixed hook name | ||
| #1384 | WP Meteor Website Speed Optimization Addon | 40 | 34 | 19 | 20k+ | Output is not escaped | ||
| #1385 | My YouTube Channel | 40 | 54 | 38 | 5k+ | Output is not escaped | ||
| #1386 | Alma – Pay in installments or later for WooCommerce | 41 | 116 | 68 | 1k+ | Exception output is not escaped | ||
| #1387 | Amazon Web Services | 41 | 53 | 21 | 5k+ | Missing Translators Comment | ||
| #1388 | Beautiful Cookie Consent Banner | 41 | 33 | 76 | 40k+ | Non-prefixed global variable | ||
| #1389 | Payment Gateway of PayPal for WooCommerce | 41 | 44 | 184 | 7k+ | Nonce verification recommended | ||
| #1390 | FluentAffiliate – Affiliate Program Management Suite, Affiliates Manager | 41 | 115 | 14 | 1k+ | Exception output is not escaped | ||
| #1391 | iCount Payment Gateway | 41 | 152 | 22 | 500 | Text Domain Mismatch | ||
| #1392 | Inpost Paczkomaty | 41 | 35 | 68 | 8k+ | Text Domain Mismatch | ||
| #1393 | Lockdown WP Admin | 41 | 20 | 50 | 10k+ | Request data is not unslashed | ||
| #1394 | Web Accessibility (formally known as Ally) – WCAG Scanning, Guided Fixes, Usability Widget | 41 | 47 | 38 | 500k+ | Output is not escaped | ||
| #1395 | Smooth Scroll Up | 41 | 61 | 10 | 6k+ | Output is not escaped | ||
| #1396 | Text Hover | 41 | 44 | 13 | 1k+ | Output is not escaped | ||
| #1397 | Text Replace | 41 | 55 | 12 | 3k+ | Output is not escaped | ||
| #1398 | WooCommerce Colors | 41 | 63 | 28 | 10k+ | Output is not escaped | ||
| #1399 | WP Crontrol | 41 | 20 | 91 | 300k+ | Nonce verification recommended | ||
| #1400 | WP Router | 41 | 29 | 13 | 800 | Exception output is not escaped |