WordPress.Security.EscapeOutput.ExceptionNotEscaped
Exception output is not escaped
An exception message or related exception value is printed without escaping.
Why It Shows Up
The scan found exception data being displayed directly in HTML output.
Why It Matters
Exception messages can include file paths, request values, remote API responses, or database details. Printing them raw can expose information or create XSS risk.
How to Fix
- Use `esc_html()` or another context-appropriate escaping function before displaying exception text.
- Show a generic user-facing message and log the detailed exception for administrators or developers.
- Do not print stack traces, paths, or raw remote responses on public pages.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1401 | Clover Payments for WooCommerce | 42 | 25 | 15 | 2k+ | Exception output is not escaped | ||
| #1402 | Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution | 42 | 111 | 17 | 20k+ | Exception output is not escaped | ||
| #1403 | FooTable | 42 | 86 | 7 | 1k+ | Output is not escaped | ||
| #1404 | hCaptcha for WP | 42 | 115 | 18 | 70k+ | Exception output is not escaped | ||
| #1405 | Hide Cart Functions | 42 | 12 | 50 | 3k+ | Nonce verification recommended | ||
| #1406 | Mobile CSS | 42 | 59 | 7 | 500 | Output is not escaped | ||
| #1407 | OnPay.io for WooCommerce | 42 | 238 | 37 | 1k+ | Text Domain Mismatch | ||
| #1408 | reCAPTCHA for WooCommerce | 42 | 80 | 31 | 40k+ | Output is not escaped | ||
| #1409 | AMP | 43 | 63 | 362 | 400k+ | Non-prefixed hook name | ||
| #1410 | Auto Alt Text | 43 | 52 | 13 | 4k+ | Exception output is not escaped | ||
| #1411 | Good Old Twitter Feed Widget | 43 | 110 | 10 | 400 | Text Domain Mismatch | ||
| #1412 | Qodax Checkout Manager – Checkout Field Editor for WooCommerce | 43 | 17 | 27 | 400 | Interpolated SQL is not prepared | ||
| #1413 | Secure Passkeys | 43 | 145 | 83 | 1k+ | Exception output is not escaped | ||
| #1414 | Checkout Field Manager (Checkout Manager) for WooCommerce | 43 | 161 | 154 | 80k+ | Non-prefixed global variable | ||
| #1415 | WP Hotel Booking Stripe Payment | 43 | 34 | 29 | 400 | Text Domain Mismatch | ||
| #1416 | Buttonizer – Live Chat, AI Chatbot, Call, Chat, Contact Button | 44 | 24 | 71 | 50k+ | Non-prefixed constant | ||
| #1417 | Razorpay Subscriptions for WooCommerce | 44 | 28 | 35 | 600 | Exception output is not escaped | ||
| #1418 | Shippit for WooCommerce | 44 | 127 | 26 | 900 | Text Domain Mismatch | ||
| #1419 | Evergreen Countdown Timer | 45 | 193 | 35 | 2k+ | wp function not compatible with requires wp | ||
| #1420 | Jetpack Search | 45 | 925 | 426 | 5k+ | Text Domain Mismatch | ||
| #1421 | Passwords Evolved | 45 | 26 | 17 | 1k+ | Output is not escaped | ||
| #1422 | Simple Membership MailChimp Integration | 45 | 34 | 27 | 900 | curl curl setopt | ||
| #1423 | TriPay Payment Gateway | 45 | 478 | 44 | 1k+ | Text Domain Mismatch | ||
| #1424 | Payrexx Payment Gateway for WooCommerce | 45 | 18 | 117 | 2k+ | Non-prefixed class | ||
| #1425 | WP OpenAPI | 45 | 26 | 22 | 400 | Output is not escaped | ||
| #1426 | Better image sizes | 46 | 45 | 23 | 2k+ | Text Domain Mismatch | ||
| #1427 | CLP Varnish Cache | 46 | 15 | 58 | 10k+ | Non-prefixed global variable | ||
| #1428 | Cashfree for WooCommerce | 47 | 21 | 21 | 8k+ | Nonce verification recommended | ||
| #1429 | FedaPay Gateway for WooCommerce | 47 | 24 | 11 | 700 | Output is not escaped | ||
| #1430 | iControlWP | 47 | 45 | 59 | 1k+ | Missing direct file access protection | ||
| #1431 | QuadLayers TikTok Feed | 47 | 78 | 52 | 7k+ | Text Domain Mismatch | ||
| #1432 | AffiliateWP – Store Credit | 48 | 47 | 21 | 400 | Output is not escaped | ||
| #1433 | AnWP Post Grid and Post Carousel Slider for Elementor | 48 | 758 | 171 | 20k+ | Text Domain Mismatch | ||
| #1434 | Jetpack Social | 48 | 829 | 254 | 30k+ | Text Domain Mismatch | ||
| #1435 | Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms | 48 | 34 | 14 | 800 | Non Singular String Literal Domain | ||
| #1436 | Instamojo for WooCommerce | 48 | 72 | 44 | 5k+ | Text Domain Mismatch | ||
| #1437 | ACF Quick Edit Fields | 49 | 20 | 72 | 30k+ | Nonce verification recommended | ||
| #1438 | Custom Block Builder – Lazy Blocks | 50 | 23 | 51 | 20k+ | Non-prefixed hook name | ||
| #1439 | WP SVG Images | 50 | 58 | 12 | 30k+ | Text Domain Mismatch | ||
| #1440 | Dolyame Payment gateway | 51 | 122 | 10 | 700 | Text Domain Mismatch | ||
| #1441 | SePay Gateway | 51 | 12 | 39 | 1k+ | Nonce verification recommended | ||
| #1442 | The Paste | 51 | 19 | 11 | 10k+ | Unsafe printing function | ||
| #1443 | GSheetConnector for Gravity Forms – Send Gravity Forms Entries to Google Sheets in Real-Time | 52 | 26 | 27 | 1k+ | Exception output is not escaped | ||
| #1444 | Automattic For Agencies Client | 53 | 249 | 184 | 20k+ | Text Domain Mismatch | ||
| #1445 | FakerPress | 53 | 66 | 152 | 10k+ | Non-prefixed global variable | ||
| #1446 | LuckyWP ACF Menu Field | 53 | 46 | 9 | 5k+ | Short PHP open tag found | ||
| #1447 | Pinterest for WooCommerce | 53 | 44 | 30 | 300k+ | Exception output is not escaped | ||
| #1448 | REST API Featured Image | 53 | 34 | 16 | 700 | Output is not escaped | ||
| #1449 | Weight Based Shipping for WooCommerce | 53 | 48 | 41 | 60k+ | Missing direct file access protection | ||
| #1450 | WP Console – WordPress PHP Console powered by PsySH | 53 | 34 | 48 | 20k+ | Exception output is not escaped |