WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4951Filter Orders by Product for WooCommerce579214k+Nonce verification recommended
#4952Sequential Order Numbers for WooCommerce5792410k+Interpolated SQL is not prepared
#4953WP Adsterra Dashboard572221400wp function not compatible with requires wp
#4954WP Old Post Date Remover572572k+Unsafe printing function
#4955WP Table Builder – Drag & Drop Table Builder57633950k+Not Allowed
#4956WP Wrapper571329600Input is not validated
#4957XML Feed for Skroutz & BestPrice for WooCommerce571250600Input is not sanitized
#4958Zoho Billing – Embed Payment Form572210500Output is not escaped
#4959WP Admin Category Search5823112k+Unsafe printing function
#4960Admin Page Notes581715700Text Domain Mismatch
#4961Web Accessibility Toolkit – Accessibility Checker & ARIA for WCAG, Section 508 & ADA Compliance58921500Output is not escaped
#4962Basic User Avatars5817720k+Output is not escaped
#4963BCM Duplicate Menu588114k+Nonce verification recommended
#4964Contact Form DB for Enfold582114700Output is not escaped
#4965CSSIgniter Shortcodes585522k+Output is not escaped
#4966Custom Meta Widget585527k+Output is not escaped
#4967Customization for WP SEO5815102k+Unsafe printing function
#4968Debloat – Remove Unused CSS, Optimize JS58242030k+Nonce verification recommended
#4969Departamentos y Ciudades de Colombia para Woocommerce5849426k+Text Domain Mismatch
#4970E-namad & Shamed Logo Manager582622k+Output is not escaped
#4971Easy Social Box / Page Plugin585344k+Output is not escaped
#4972Easy Sidebar Menu Widget583272k+Output is not escaped
#4973PDF invoice for WP ERP58961342k+Non-prefixed global variable
#4974Flexible FAQ5827261k+Text Domain Mismatch
#4975Go Redirects URL Forwarder5817141k+Output is not escaped
#4976Gutenverse Form – Contact Form Builder, Block Form & Booking Form58174810k+Nonce verification recommended
#4977Houzez WooCommerce Addon5822214k+Missing Translators Comment
#4978List Last Changes5850151k+Output is not escaped
#4979Menu Swapper5820143k+Output is not escaped
#4980Nginx Cache5812810k+Unsafe printing function
#4981WP Online Active Users5826452k+Non-prefixed global variable
#4982PageLoader Lite – Loading Screen582917700Output is not escaped
#4983PW WooCommerce BOGO58308400Unsafe printing function
#4984Quickcreator – AI Blog Writer581418500Exception output is not escaped
#4985Random Post for Widget582752k+Output is not escaped
#4986Remove CPT base58151610k+Input is not sanitized
#4987Responsive Select Menu5829273k+Output is not escaped
#4988Rewrite Rules Inspector5875910k+Nonce verification recommended
#4989Safety Exit5852261k+Text Domain Mismatch
#4990Simple Back To Top5815433k+Non-prefixed global variable
#4991Simple CSS for widgets5811151k+Missing nonce verification
#4992SportsPress for Basketball58104341k+Text Domain Mismatch
#4993SportsPress for Football (Soccer)58107346k+Text Domain Mismatch
#4994SportsPress for Volleyball5810734500Text Domain Mismatch
#4995Super Simple Event Calendar58824600Request data is not unslashed
#4996UiCore Elements – Free widgets and templates for Elementor58293040k+Output is not escaped
#4997Ultimate Member – Online Users582543k+Output is not escaped
#4998View Admin As583071359k+Non Singular String Literal Domain
#4999VRTs – Visual Regression Tests5861118900Database parameter is not escaped
#5000WebP Express Plus581911700Unsafe printing function