WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1 | BulletProof Security | 0 | 5,048 | 4,949 | 20k+ | Output is not escaped | ||
| #2 | Intercom | 0 | 60 | 71 | 6k+ | Non-prefixed function | ||
| #3 | Live Shopping & Shoppable Videos For WooCommerce | 0 | 78 | 175 | 400 | Non-prefixed global variable | ||
| #4 | Themify Builder | 9 | 5,195 | 2,096 | 5k+ | Text Domain Mismatch | ||
| #5 | JetBackup – Backup, Restore & Migrate | 10 | 1,559 | 145 | 100k+ | Exception output is not escaped | ||
| #6 | Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more | 15 | 32 | 163 | 500k+ | Direct Query | ||
| #7 | Visual Composer Website Builder | 16 | 82 | 320 | 40k+ | Non-prefixed global variable | ||
| #8 | MDTF – Meta Data and Taxonomies Filter | 16 | 1,550 | 1,956 | 1k+ | Non-prefixed global variable | ||
| #9 | AnyComment | 17 | 445 | 449 | 5k+ | Output is not escaped | ||
| #10 | Efí Bank | 17 | 886 | 553 | 400 | Exception output is not escaped | ||
| #11 | wpForo Forum | 17 | 4,033 | 2,922 | 20k+ | Unsafe printing function | ||
| #12 | WPtouch – Make your WordPress Website Mobile-Friendly | 17 | 1,466 | 325 | 50k+ | Text Domain Mismatch | ||
| #13 | Prime Slider Addons for Elementor | 18 | 3,500 | 230 | 100k+ | Text Domain Mismatch | ||
| #14 | JetFormBuilder — Dynamic Blocks Form Builder | 18 | 2,093 | 1,589 | 90k+ | Text Domain Mismatch | ||
| #15 | Pagopar – WooCommerce Gateway | 18 | 530 | 1,215 | 400 | Non-prefixed global variable | ||
| #16 | Podlove Podcast Publisher | 18 | 2,326 | 1,429 | 3k+ | Output is not escaped | ||
| #17 | Property Hive | 18 | 1,957 | 6,027 | 3k+ | Missing nonce verification | ||
| #18 | RestroPress – Online Food Ordering System | 18 | 521 | 3,083 | 1k+ | Non-prefixed global variable | ||
| #19 | Shopping Cart & eCommerce Store | 18 | 5,459 | 17,298 | 4k+ | Non-prefixed global variable | ||
| #20 | WP Import Export Lite | 18 | 738 | 979 | 40k+ | Non-prefixed global variable | ||
| #21 | WP Directory Kit | 18 | 2,119 | 2,617 | 2k+ | Non-prefixed global variable | ||
| #22 | WPPizza – A Restaurant Plugin | 18 | 4,689 | 2,703 | 1k+ | Text Domain Mismatch | ||
| #23 | Element Pack – Widgets, Templates & Addons for Elementor | 19 | 9,448 | 517 | 100k+ | Text Domain Mismatch | ||
| #24 | Block Slider – Responsive Image Slider, Video Slider & Post Slider | 19 | 555 | 1,291 | 3k+ | Non-prefixed global variable | ||
| #25 | Download Monitor | 19 | 425 | 1,364 | 80k+ | Non-prefixed hook name | ||
| #26 | Event Organiser | 19 | 1,106 | 544 | 20k+ | Text Domain Mismatch | ||
| #27 | Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution | 19 | 1,218 | 901 | 100k+ | Exception output is not escaped | ||
| #28 | Go Fetch Jobs (for WP Job Manager) | 19 | 1,410 | 1,741 | 700 | Non-prefixed global variable | ||
| #29 | AI Infographic Maker | 19 | 1,517 | 599 | 600 | Output is not escaped | ||
| #30 | Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) | 19 | 3,275 | 3,228 | 10k+ | Output is not escaped | ||
| #31 | Matomo Analytics – Powerful, Privacy-First Insights for WordPress | 19 | 1,909 | 878 | 100k+ | Exception output is not escaped | ||
| #32 | Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | 19 | 1,293 | 2,679 | 9k+ | Output is not escaped | ||
| #33 | Netgsm | 19 | 338 | 298 | 1k+ | Setting is missing a sanitization callback | ||
| #34 | Verified Reviews (Avis Vérifiés) | 19 | 671 | 1,136 | 700 | Non-prefixed global variable | ||
| #35 | Razorpay Payment Button Plugin | 19 | 486 | 98 | 2k+ | Exception output is not escaped | ||
| #36 | Realtyna Organic IDX plugin + WPL Real Estate | 19 | 947 | 3,653 | 2k+ | Non-prefixed global variable | ||
| #37 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 541 | 385 | 3m+ | Missing Translators Comment | ||
| #38 | Membership Plugin – Kadence Memberships | 19 | 5,082 | 2,982 | 9k+ | Text Domain Mismatch | ||
| #39 | Scrollsequence – Cinematic Scroll Image Animation Plugin | 19 | 878 | 1,528 | 4k+ | Non-prefixed global variable | ||
| #40 | SendPress Newsletters | 19 | 2,293 | 1,422 | 2k+ | Output is not escaped | ||
| #41 | SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments | 19 | 526 | 1,119 | 90k+ | Non-prefixed global variable | ||
| #42 | WordLift – AI powered SEO – Schema | 19 | 393 | 946 | 400 | Non-prefixed hook name | ||
| #43 | WP Email Template | 19 | 342 | 350 | 2k+ | Exception output is not escaped | ||
| #44 | WPOSS阿里云对象存储 | 19 | 269 | 315 | 1k+ | Non-prefixed namespace | ||
| #45 | WPQiNiu七牛云对象存储 | 19 | 138 | 612 | 400 | Non-prefixed global variable | ||
| #46 | AweBooking – Hotel Booking System | 20 | 309 | 514 | 1k+ | Non-prefixed global variable | ||
| #47 | Brizy – Page Builder | 20 | 589 | 720 | 70k+ | Output is not escaped | ||
| #48 | Broadstreet | 20 | 434 | 273 | 700 | Output is not escaped | ||
| #49 | Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) | 20 | 736 | 2,112 | 900 | Non-prefixed global variable | ||
| #50 | SysBasics Customize My Account for WooCommerce – Live My Account Customizer | 20 | 744 | 852 | 8k+ | Non-prefixed global variable |