WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1BulletProof Security05,0484,94920k+Output is not escaped
#2Intercom060716k+Non-prefixed function
#3Live Shopping & Shoppable Videos For WooCommerce078175400Non-prefixed global variable
#4Themify Builder95,1952,0965k+Text Domain Mismatch
#5JetBackup – Backup, Restore & Migrate101,559145100k+Exception output is not escaped
#6Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more1532163500k+Direct Query
#7Visual Composer Website Builder168232040k+Non-prefixed global variable
#8MDTF – Meta Data and Taxonomies Filter161,5501,9561k+Non-prefixed global variable
#9AnyComment174454495k+Output is not escaped
#10Efí Bank17886553400Exception output is not escaped
#11wpForo Forum174,0332,92220k+Unsafe printing function
#12WPtouch – Make your WordPress Website Mobile-Friendly171,46632550k+Text Domain Mismatch
#13Prime Slider Addons for Elementor183,500230100k+Text Domain Mismatch
#14JetFormBuilder — Dynamic Blocks Form Builder182,0931,58990k+Text Domain Mismatch
#15Pagopar – WooCommerce Gateway185301,215400Non-prefixed global variable
#16Podlove Podcast Publisher182,3261,4293k+Output is not escaped
#17Property Hive181,9576,0273k+Missing nonce verification
#18RestroPress – Online Food Ordering System185213,0831k+Non-prefixed global variable
#19Shopping Cart & eCommerce Store185,45917,2984k+Non-prefixed global variable
#20WP Import Export Lite1873897940k+Non-prefixed global variable
#21WP Directory Kit182,1192,6172k+Non-prefixed global variable
#22WPPizza – A Restaurant Plugin184,6892,7031k+Text Domain Mismatch
#23Element Pack – Widgets, Templates & Addons for Elementor199,448517100k+Text Domain Mismatch
#24Block Slider – Responsive Image Slider, Video Slider & Post Slider195551,2913k+Non-prefixed global variable
#25Download Monitor194251,36480k+Non-prefixed hook name
#26Event Organiser191,10654420k+Text Domain Mismatch
#27Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution191,218901100k+Exception output is not escaped
#28Go Fetch Jobs (for WP Job Manager)191,4101,741700Non-prefixed global variable
#29AI Infographic Maker191,517599600Output is not escaped
#30Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)193,2753,22810k+Output is not escaped
#31Matomo Analytics – Powerful, Privacy-First Insights for WordPress191,909878100k+Exception output is not escaped
#32Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization191,2932,6799k+Output is not escaped
#33Netgsm193382981k+Setting is missing a sanitization callback
#34Verified Reviews (Avis Vérifiés)196711,136700Non-prefixed global variable
#35Razorpay Payment Button Plugin19486982k+Exception output is not escaped
#36Realtyna Organic IDX plugin + WPL Real Estate199473,6532k+Non-prefixed global variable
#37Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)195413853m+Missing Translators Comment
#38Membership Plugin – Kadence Memberships195,0822,9829k+Text Domain Mismatch
#39Scrollsequence – Cinematic Scroll Image Animation Plugin198781,5284k+Non-prefixed global variable
#40SendPress Newsletters192,2931,4222k+Output is not escaped
#41SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments195261,11990k+Non-prefixed global variable
#42WordLift – AI powered SEO – Schema19393946400Non-prefixed hook name
#43WP Email Template193423502k+Exception output is not escaped
#44WPOSS阿里云对象存储192693151k+Non-prefixed namespace
#45WPQiNiu七牛云对象存储19138612400Non-prefixed global variable
#46AweBooking – Hotel Booking System203095141k+Non-prefixed global variable
#47Brizy – Page Builder2058972070k+Output is not escaped
#48Broadstreet20434273700Output is not escaped
#49Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)207362,112900Non-prefixed global variable
#50SysBasics Customize My Account for WooCommerce – Live My Account Customizer207448528k+Non-prefixed global variable