WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5151 | wp-cleanumlauts2 | 61 | 32 | 22 | 1k+ | Output is not escaped | ||
| #5152 | WP-CORS | 61 | 7 | 23 | 1k+ | error log error log | ||
| #5153 | RSS Feed Retriever | 61 | 23 | 8 | 7k+ | wp function not compatible with requires wp | ||
| #5154 | Bulk Edit YOAST SEO fields in Spreadsheet | 61 | 56 | 16 | 1k+ | Non Singular String Literal Domain | ||
| #5155 | WP-UTF8-Excerpt | 61 | 17 | 10 | 800 | Unsafe printing function | ||
| #5156 | WP YouTube Player | 61 | 14 | 17 | 1k+ | Output is not escaped | ||
| #5157 | Related Products Slider for WooCommerce – Boost Sales with Smart Product Recommendations | 61 | 81 | 13 | 1k+ | Text Domain Mismatch | ||
| #5158 | AAM Protected Media Files | 62 | 13 | 10 | 600 | Direct Query | ||
| #5159 | AMP Contact FORM 7 – AMPCF7 | 62 | 9 | 13 | 600 | Input is not validated | ||
| #5160 | AMS Post And Page Duplicator | 62 | 14 | 13 | 600 | Text Domain Mismatch | ||
| #5161 | Contact Form 7 – Blacklist Unwanted Email | 62 | 16 | 11 | 400 | Missing direct file access protection | ||
| #5162 | Bulk edit publish date | 62 | 11 | 16 | 2k+ | Nonce verification recommended | ||
| #5163 | Bulk Page Creator | 62 | 9 | 17 | 10k+ | Request data is not unslashed | ||
| #5164 | Cloudways WordPress Migrator | 62 | 15 | 25 | 20k+ | Output is not escaped | ||
| #5165 | Checkout Countdown for WooCommerce – Boost Conversions & Reduce Cart Abandonment | 62 | 43 | 12 | 4k+ | Output is not escaped | ||
| #5166 | Column Separator for Beaver Builder | 62 | 61 | 17 | 400 | Output is not escaped | ||
| #5167 | Custom Permalink Editor | 62 | 4 | 51 | 3k+ | Non-prefixed hook name | ||
| #5168 | Custom Sidebars by ProteusThemes | 62 | 17 | 23 | 1k+ | Missing nonce verification | ||
| #5169 | Dashboard Widget Sidebar | 62 | 9 | 16 | 400 | Input is not validated | ||
| #5170 | Devices for Elementor | 62 | 22 | 13 | 400 | Output is not escaped | ||
| #5171 | Disable Visual Editor WYSIWYG | 62 | 10 | 12 | 1k+ | Nonce verification recommended | ||
| #5172 | DreamHost Automated Migration | 62 | 15 | 23 | 20k+ | Output is not escaped | ||
| #5173 | Equalweb Accessibility | 62 | 21 | 5 | 4k+ | Output is not escaped | ||
| #5174 | exovia GDPR Google Maps | 62 | 40 | 6 | 4k+ | Output is not escaped | ||
| #5175 | Genesis Accessible | 62 | 49 | 17 | 500 | Text Domain Mismatch | ||
| #5176 | GetGenie – AI Content Writer with Keyword Research & SEO Tracking | 62 | 13 | 39 | 80k+ | Nonce verification recommended | ||
| #5177 | Hestia Nginx Cache | 62 | 21 | 8 | 1k+ | Output is not escaped | ||
| #5178 | Include Matomo Tracking, by Jonas Hellmann | 62 | 14 | 4 | 500 | Setting is missing a sanitization callback | ||
| #5179 | Cron Jobs | 62 | 21 | 33 | 2k+ | Nonce verification recommended | ||
| #5180 | Live Simple Clock | 62 | 23 | 1 | 800 | Output is not escaped | ||
| #5181 | Migrate To Liquid Web & Nexcess | 62 | 15 | 23 | 2k+ | Output is not escaped | ||
| #5182 | Nimbata Call Tracking | 62 | 13 | 11 | 400 | Non-prefixed function | ||
| #5183 | Pressable Automated Migration | 62 | 15 | 23 | 3k+ | Output is not escaped | ||
| #5184 | Proofreading | 62 | 11 | 74 | 5k+ | Direct Query | ||
| #5185 | Easy SSL Plugin for SAKURA Rental Server | 62 | 23 | 17 | 50k+ | Input is not sanitized | ||
| #5186 | SEO Image Toolbox | 62 | 19 | 14 | 1k+ | Output is not escaped | ||
| #5187 | Single Post Template | 62 | 14 | 8 | 4k+ | Text Domain Mismatch | ||
| #5188 | Sitewide Notice WP | 62 | 6 | 13 | 3k+ | Output is not escaped | ||
| #5189 | Spam Comments Cleaner | 62 | 14 | 29 | 1k+ | Non-prefixed function | ||
| #5190 | Standard Widget Extensions | 62 | 67 | 6 | 1k+ | Output is not escaped | ||
| #5191 | Testimonial Carousel For Elementor | 62 | 34 | 56 | 10k+ | No Html Wrapped Strings | ||
| #5192 | Topic SEO Content Optimization Tool | 62 | 35 | 15 | 1k+ | curl curl close | ||
| #5193 | Uber Login Logo | 62 | 16 | 5 | 10k+ | Unsafe printing function | ||
| #5194 | WiserNotify – Social Proof & FOMO Notifications, WooCommerce Sales Popups, Reviews & Announcement Bar | 62 | 13 | 32 | 1k+ | Request data is not unslashed | ||
| #5195 | Woo Product Remover | 62 | 23 | 14 | 1k+ | SQL query is not prepared | ||
| #5196 | Embed Videos For Product Image Gallery Using WooCommerce | 62 | 21 | 16 | 400 | Text Domain Mismatch | ||
| #5197 | WooCommerce Product Fees | 62 | 6 | 25 | 2k+ | Missing nonce verification | ||
| #5198 | WP Downloader | 62 | 11 | 15 | 2k+ | Output is not escaped | ||
| #5199 | Wp Theme plugin Download | 62 | 11 | 16 | 2k+ | Output is not escaped | ||
| #5200 | Migrate to WordPress.com | 62 | 15 | 28 | 2k+ | Output is not escaped |