WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5201 | Dadevarzan Beaver Builder Modules | 63 | 167 | 5 | 600 | Text Domain Mismatch | ||
| #5202 | Placeholder Image for WooCommerce | 63 | 31 | 5 | 400 | Output is not escaped | ||
| #5203 | Dehkadeh Fonts | 63 | 117 | 5 | 700 | Text Domain Mismatch | ||
| #5204 | Email Post Changes | 63 | 43 | 8 | 500 | Missing Arg Domain | ||
| #5205 | Essential Addons for Elementor – Popular Elementor Templates & Widgets | 63 | 78 | 185 | 2m+ | wp function not compatible with requires wp | ||
| #5206 | Fathom Analytics for WP | 63 | 25 | 15 | 10k+ | Output is not escaped | ||
| #5207 | FeedFocal | 63 | 16 | 6 | 2k+ | Unsafe printing function | ||
| #5208 | Happierleads – Identify your B2B website visitors even if they work remotely | 63 | 32 | 7 | 600 | wp function not compatible with requires wp | ||
| #5209 | Image Sitemap | 63 | 11 | 14 | 400 | Output is not escaped | ||
| #5210 | Include Klaviyo for Elementor pro | 63 | 60 | 10 | 2k+ | Missing Arg Domain | ||
| #5211 | Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy | 63 | 31 | 16 | 100k+ | Missing direct file access protection | ||
| #5212 | Integrate GA4 Google Analytics | 63 | 33 | 3 | 500 | Text Domain Mismatch | ||
| #5213 | Latest Posts | 63 | 27 | 1 | 5k+ | Output is not escaped | ||
| #5214 | Social Intents – Live Chat | 63 | 42 | 11 | 400 | Non Singular String Literal Domain | ||
| #5215 | Mailster Google Analytics | 63 | 26 | 9 | 900 | Output is not escaped | ||
| #5216 | Mantenimiento web | 63 | 49 | 15 | 20k+ | Text Domain Mismatch | ||
| #5217 | Missed Scheduled Posts Publisher by WPBeginner | 63 | 16 | 17 | 30k+ | Text Domain Mismatch | ||
| #5218 | One Tap Google Sign in | 63 | 6 | 30 | 900 | Request data is not unslashed | ||
| #5219 | Order auto complete for WooCommerce | 63 | 56 | 22 | 1k+ | Text Domain Mismatch | ||
| #5220 | Query Posts | 63 | 53 | 6 | 800 | Output is not escaped | ||
| #5221 | Recent Posts by Category Widget | 63 | 24 | 0 | 4k+ | Output is not escaped | ||
| #5222 | Redirect 404 to Home Page – Custom URL | 63 | 9 | 11 | 4k+ | Output is not escaped | ||
| #5223 | Simple WWW Redirect | 63 | 26 | 5 | 1k+ | Output is not escaped | ||
| #5224 | Slightly troublesome permalink | 63 | 24 | 10 | 1k+ | Non Singular String Literal Domain | ||
| #5225 | Rating Widget: Post Rating, 5 Star Rating, Reviews, Thumbs Up & Down, Reaction | 63 | 177 | 27 | 400 | Missing direct file access protection | ||
| #5226 | Review & testimonial widgets | 63 | 62 | 9 | 1k+ | Text Domain Mismatch | ||
| #5227 | User Switching | 63 | 2 | 47 | 200k+ | Nonce verification recommended | ||
| #5228 | PayPing Gateway For Woocommerce | 63 | 11 | 40 | 1k+ | Non-prefixed hook name | ||
| #5229 | WPC Variation Bulk Editor for WooCommerce | 63 | 13 | 32 | 1k+ | Request data is not unslashed | ||
| #5230 | WT Yandex Metrika | 63 | 35 | 0 | 5k+ | Output is not escaped | ||
| #5231 | Admin CSS MU | 64 | 30 | 582 | 10k+ | Non-prefixed global variable | ||
| #5232 | Admin filter posts by year | 64 | 8 | 32 | 400 | Non-prefixed function | ||
| #5233 | Broadly for WordPress | 64 | 18 | 5 | 500 | Unsafe printing function | ||
| #5234 | UniqueID for Contact Form 7 | 64 | 21 | 18 | 2k+ | Text Domain Mismatch | ||
| #5235 | Channel.io | 64 | 14 | 3 | 1k+ | Output is not escaped | ||
| #5236 | CodeColorer | 64 | 65 | 266 | 1k+ | Non-prefixed global variable | ||
| #5237 | Collapsing Archives | 64 | 36 | 9 | 3k+ | date date | ||
| #5238 | Comment Blacklist Manager | 64 | 14 | 8 | 600 | Output is not escaped | ||
| #5239 | Advanced Comment Form | 64 | 68 | 6 | 4k+ | Output is not escaped | ||
| #5240 | Delete Unscaled Images | 64 | 24 | 4 | 800 | Text Domain Mismatch | ||
| #5241 | Download Theme | 64 | 18 | 20 | 4k+ | wp function not compatible with requires wp | ||
| #5242 | Embed Google Fonts | 64 | 28 | 7 | 5k+ | Output is not escaped | ||
| #5243 | Estonian Shipping Methods for WooCommerce | 64 | 97 | 16 | 1k+ | Text Domain Mismatch | ||
| #5244 | Evermore | 64 | 8 | 12 | 1k+ | Input is not validated | ||
| #5245 | Favicon XT-Manager | 64 | 9 | 12 | 2k+ | Output is not escaped | ||
| #5246 | Icon Element – Icon Pack for Elementor Page Builder (6718 icons) | 64 | 30 | 16 | 40k+ | wp function not compatible with requires wp | ||
| #5247 | Online Payments with iK Pay Gateway | 64 | 12 | 28 | 1k+ | Missing nonce verification | ||
| #5248 | Image Hover Effects – Elementor Addon | 64 | 117 | 7 | 40k+ | Text Domain Mismatch | ||
| #5249 | Inactive Logout | 64 | 30 | 71 | 10k+ | Non-prefixed global variable | ||
| #5250 | Integrate Firebase | 64 | 26 | 7 | 600 | Output is not escaped |