WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5001 | UiCore Elements – Free widgets and templates for Elementor | 58 | 29 | 30 | 40k+ | Output is not escaped | ||
| #5002 | Ultimate Member – Online Users | 58 | 25 | 4 | 3k+ | Output is not escaped | ||
| #5003 | View Admin As | 58 | 307 | 135 | 9k+ | Non Singular String Literal Domain | ||
| #5004 | VRTs – Visual Regression Tests | 58 | 61 | 118 | 900 | Database parameter is not escaped | ||
| #5005 | WebP Express Plus | 58 | 19 | 11 | 700 | Unsafe printing function | ||
| #5006 | Wettervorhersage | 58 | 49 | 7 | 1k+ | Output is not escaped | ||
| #5007 | Chat Button & Custom ChatGPT-Powered Bot by GetButton.io | 58 | 26 | 8 | 20k+ | Non-prefixed function | ||
| #5008 | Cloak Affiliate Links for WooCommerce | 58 | 28 | 6 | 2k+ | Non Singular String Literal Domain | ||
| #5009 | WP Healthcheck | 58 | 37 | 73 | 1k+ | Non-prefixed global variable | ||
| #5010 | Age Gator | 59 | 9 | 15 | 400 | Direct Query | ||
| #5011 | Blog Designer | 59 | 62 | 83 | 10k+ | Text Domain Mismatch | ||
| #5012 | Posts Order | 59 | 59 | 20 | 1k+ | Text Domain Mismatch | ||
| #5013 | Connect SendGrid for Emails | 59 | 37 | 103 | 900 | Missing direct file access protection | ||
| #5014 | Cresta Posts Box | 59 | 10 | 13 | 1k+ | Output is not escaped | ||
| #5015 | Display Post Types – Post Grid, post list and post sliders | 59 | 24 | 14 | 7k+ | Output is not escaped | ||
| #5016 | Fathom Analytics Conversions | 59 | 14 | 47 | 400 | Non-prefixed function | ||
| #5017 | File Upload For WPForms – Filenzo | 59 | 8 | 16 | 1k+ | Output is not escaped | ||
| #5018 | flowpaper | 59 | 13 | 31 | 10k+ | Non-prefixed function | ||
| #5019 | GDPR Data Request Form | 59 | 22 | 19 | 5k+ | Missing direct file access protection | ||
| #5020 | Gettext override translations | 59 | 33 | 7 | 2k+ | Missing Arg Domain | ||
| #5021 | Gravity Forms: Notification Attachments | 59 | 18 | 7 | 500 | Output is not escaped | ||
| #5022 | Gravity Forms Approvals Add-On | 59 | 17 | 6 | 800 | Output is not escaped | ||
| #5023 | GravityWP – Merge Tags | 59 | 16 | 172 | 2k+ | Non-prefixed global variable | ||
| #5024 | HTTP Headers | 59 | 20 | 43 | 50k+ | Nonce verification recommended | ||
| #5025 | Icon List | 59 | 83 | 11 | 1k+ | Text Domain Mismatch | ||
| #5026 | Importify – AI Dropshipping for WooCommerce | 59 | 22 | 71 | 2k+ | Non-prefixed global variable | ||
| #5027 | MapGeo – Interactive Geo Maps | 59 | 14 | 51 | 40k+ | Non-prefixed hook name | ||
| #5028 | JetSticky For Elementor | 59 | 13 | 38 | 30k+ | Nonce verification recommended | ||
| #5029 | Lazy Loader | 59 | 6 | 24 | 9k+ | Nonce verification recommended | ||
| #5030 | Logo or Image Replace by mycore.global | 59 | 30 | 12 | 400 | Text Domain Mismatch | ||
| #5031 | Mango Buttons | 59 | 14 | 21 | 3k+ | Output is not escaped | ||
| #5032 | Multiple Packages for WooCommerce | 59 | 34 | 4 | 600 | Text Domain Mismatch | ||
| #5033 | Pattern Wrangler – Manage Block Patterns and Pattern Categories | 59 | 14 | 73 | 400 | Non-prefixed global variable | ||
| #5034 | pensopay Payments v2 | 59 | 413 | 32 | 1k+ | Non Singular String Literal Domain | ||
| #5035 | Post Type Select Field for Advanced Custom Fields | 59 | 48 | 1 | 900 | Text Domain Mismatch | ||
| #5036 | SureFeedback Client Site | 59 | 47 | 24 | 5k+ | Text Domain Mismatch | ||
| #5037 | Remove Add to Cart Button for WooCommerce | 59 | 115 | 18 | 500 | Text Domain Mismatch | ||
| #5038 | Resize Image After Upload | 59 | 15 | 11 | 80k+ | Output is not escaped | ||
| #5039 | Simplelightbox | 59 | 32 | 4 | 1k+ | Output is not escaped | ||
| #5040 | Subscribers – Free Web Push Notifications | 59 | 15 | 11 | 1k+ | Output is not escaped | ||
| #5041 | Super Progressive Web Apps | 59 | 62 | 22 | 40k+ | wp function not compatible with requires wp | ||
| #5042 | Text Scroll Widget | 59 | 30 | 2 | 400 | Output is not escaped | ||
| #5043 | Typebot | 59 | 17 | 9 | 3k+ | Output is not escaped | ||
| #5044 | UltraPress – AI Assistant, Chatbot & SEO | 59 | 12 | 38 | 800 | Non-prefixed global variable | ||
| #5045 | Unlimited Addons For Gutenberg Blocks | 59 | 16 | 68 | 900 | slow db query meta key | ||
| #5046 | Videojs HTML5 Player | 59 | 12 | 12 | 8k+ | Nonce verification recommended | ||
| #5047 | Konnect Payment Gateway for WooCommerce | 59 | 39 | 16 | 400 | Text Domain Mismatch | ||
| #5048 | WC Korkmaz Contract – Contracts for WooCommerce | 59 | 7 | 38 | 500 | Non-prefixed global variable | ||
| #5049 | Payment Gateway for LiqPay for Woocommerce | 59 | 84 | 31 | 1k+ | Text Domain Mismatch | ||
| #5050 | GST Invoice for WooCommerce | 59 | 10 | 42 | 1k+ | Missing nonce verification |