WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5101Documents for WooCommerce611613500Output is not escaped
#5102ELEX WooCommerce Catalog Mode61974910k+Text Domain Mismatch
#5103Equal Height Columns6124510k+Output is not escaped
#5104GamiPress – Link61325800Output is not escaped
#5105Country and State Selection Addon for Gravity Forms6114261k+Non-prefixed constant
#5106GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor61911980k+Non-prefixed global variable
#5107Hide Admin Bar For User Roles613810500Output is not escaped
#5108Hotjar6116470k+Output is not escaped
#5109jQuery Lightbox612231k+Output is not escaped
#5110Magic Tooltips For Contact Form 7613721700Text Domain Mismatch
#5111Marker.io – Visual Website Feedback616314k+Request data is not unslashed
#5112Media Library Helper — Bulk edit image ALT, caption & description61167010k+Non-prefixed global variable
#5113Mentions Legales Par Webdeclic618239500Non Singular String Literal Domain
#5114Reorder Posts – Quick Post Type and Page Ordering61102310k+Request data is not unslashed
#5115Multiple Post Passwords6113152k+Output is not escaped
#5116Order On Mobile for WooCommerce6137152k+Text Domain Mismatch
#5117Post/Page Import Export – Migrate Content with Custom Fields & Taxonomies611227400Input is not sanitized
#5118PRyC WP: Add custom content to post and page (top/bottom)616371k+Text Domain Mismatch
#5119Publish Post Email Notification611618600Output is not escaped
#5120PW WooCommerce Copy Coupon6115171k+Text Domain Mismatch
#5121Qikink Print On Demand and DropShipping6114231k+Input is not validated
#5122SHK Hide Title611943k+Output is not escaped
#5123Simple User Avatar6181420k+Output is not escaped
#5124Slide everything for Elementor619316k+Text Domain Mismatch
#5125Slider Factory6134142k+Non-prefixed global variable
#5126SSL Certificate Manager61147600Output is not escaped
#5127HuCommerce | Magyar kiegészítések WooCommerce webáruházakhoz611719410k+Non-prefixed function
#5128Text Domain Inspector614136400Non-prefixed global variable
#5129whatwedo ACF Cleaner61820800Input is not validated
#5130When Last Login – Export User Records611813500Output is not escaped
#5131Widget Click to Chat61224500Setting is missing a sanitization callback
#5132Wistia WordPress Plugin6142122k+Output is not escaped
#5133Order Weight for WooCommerce612434600Text Domain Mismatch
#5134QR Code PicPay for WooCommerce611525600Non-prefixed global variable
#5135Products Restricted Users for WooCommerce613124400wp function not compatible with requires wp
#5136Show Variations as Single Products for WooCommerce611227500Unsafe printing function
#5137More Sorting Options for WooCommerce6127173k+Output is not escaped
#5138wp-cleanumlauts26132221k+Output is not escaped
#5139WP-CORS617231k+error log error log
#5140RSS Feed Retriever612387k+wp function not compatible with requires wp
#5141Bulk Edit YOAST SEO fields in Spreadsheet6156161k+Non Singular String Literal Domain
#5142WP-UTF8-Excerpt611710700Unsafe printing function
#5143WP YouTube Player6114171k+Output is not escaped
#5144Related Products Slider for WooCommerce – Boost Sales with Smart Product Recommendations6181131k+Text Domain Mismatch
#5145AAM Protected Media Files621310600Direct Query
#5146AMP Contact FORM 7 – AMPCF762913500Input is not validated
#5147AMS Post And Page Duplicator621413600Text Domain Mismatch
#5148Contact Form 7 – Blacklist Unwanted Email621611400Missing direct file access protection
#5149Bulk edit publish date6211161k+Nonce verification recommended
#5150Bulk Page Creator6291710k+Request data is not unslashed