WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5251 | New Recent Posts Select Categories By Thao Marky | 64 | 33 | 1 | 500 | Text Domain Mismatch | ||
| #5252 | Nofollow for external link | 64 | 8 | 5 | 10k+ | Output is not escaped | ||
| #5253 | Page in Widget | 64 | 26 | 0 | 1k+ | Output is not escaped | ||
| #5254 | Page Tag Cloud | 64 | 21 | 3 | 500 | Output is not escaped | ||
| #5255 | Pageviews | 64 | 15 | 12 | 1k+ | Missing Translators Comment | ||
| #5256 | PHP Code Widget | 64 | 22 | 1 | 80k+ | Output is not escaped | ||
| #5257 | Retrigger Notifications Gravity Forms | 64 | 55 | 8 | 1k+ | Text Domain Mismatch | ||
| #5258 | Send From | 64 | 5 | 18 | 500 | Input is not sanitized | ||
| #5259 | Simple HTTPS Redirect | 64 | 19 | 5 | 900 | Output is not escaped | ||
| #5260 | Click to Call Button | 64 | 58 | 3 | 1k+ | Output is not escaped | ||
| #5261 | SMK Sidebar Generator | 64 | 19 | 5 | 10k+ | Output is not escaped | ||
| #5262 | Stag Custom Sidebars | 64 | 10 | 12 | 2k+ | Text Domain Mismatch | ||
| #5263 | Oceanwp sticky header | 64 | 8 | 13 | 10k+ | Missing nonce verification | ||
| #5264 | Thumbnail Crop Position | 64 | 43 | 1 | 2k+ | Output is not escaped | ||
| #5265 | TP Show Product Images on Checkout Page for WooCommerce | 64 | 16 | 5 | 500 | Setting is missing a sanitization callback | ||
| #5266 | 64 | 27 | 23 | 9k+ | Missing Translators Comment | |||
| #5267 | WProofreader spell & grammar check plugin for WordPress | 64 | 12 | 43 | 4k+ | Non-prefixed global variable | ||
| #5268 | Werk aan de Muur | 64 | 48 | 20 | 900 | Non Singular String Literal Domain | ||
| #5269 | WP Login Door | 64 | 19 | 11 | 400 | Output is not escaped | ||
| #5270 | WP Term Order | 64 | 2 | 26 | 6k+ | Nonce verification recommended | ||
| #5271 | WPC Shop as a Customer for WooCommerce | 64 | 5 | 38 | 400 | Request data is not unslashed | ||
| #5272 | YaMaps for WordPress Plugin | 64 | 21 | 30 | 10k+ | Non-prefixed global variable | ||
| #5273 | Яндекс.ПДС Пингер / Yandex Site search pinger | 64 | 21 | 5 | 800 | Output is not escaped | ||
| #5274 | ACF: Sidebar Selector | 65 | 27 | 2 | 800 | Output is not escaped | ||
| #5275 | Banner Upload | 65 | 36 | 4 | 500 | Output is not escaped | ||
| #5276 | Contact Form 7 – Success Page Redirects | 65 | 5 | 15 | 10k+ | Input is not sanitized | ||
| #5277 | Creta Testimonial Showcase | 65 | 28 | 41 | 3k+ | Non-prefixed global variable | ||
| #5278 | Custom Global Variables | 65 | 14 | 12 | 5k+ | Output is not escaped | ||
| #5279 | Custom Product Tabs for WooCommerce WP All Import Add-on | 65 | 18 | 18 | 1k+ | Non-prefixed global variable | ||
| #5280 | Custom Share Buttons with Floating Sidebar | 65 | 164 | 20 | 4k+ | Text Domain Mismatch | ||
| #5281 | Cyr to Lat Reloaded – Transliteration of Links and File Names | 65 | 13 | 36 | 30k+ | Direct Query | ||
| #5282 | Dashboard Directory Size | 65 | 32 | 9 | 400 | Missing Arg Domain | ||
| #5283 | Disable REST API | 65 | 12 | 15 | 90k+ | Output is not escaped | ||
| #5284 | Dojo for WooCommerce | 65 | 71 | 13 | 800 | Text Domain Mismatch | ||
| #5285 | QRCode | 65 | 21 | 39 | 400 | Non-prefixed constant | ||
| #5286 | Easy Twitter Feed Widget Plugin | 65 | 90 | 15 | 10k+ | Text Domain Mismatch | ||
| #5287 | EDD Hide Download | 65 | 13 | 13 | 600 | Output is not escaped | ||
| #5288 | Live Chat with Messenger Customer Chat | 65 | 10 | 23 | 3k+ | Input is not sanitized | ||
| #5289 | Featured Galleries | 65 | 15 | 10 | 3k+ | Output is not escaped | ||
| #5290 | Futy.io Leadbots | 65 | 73 | 9 | 2k+ | wp function not compatible with requires wp | ||
| #5291 | Genesis Visual Hook Guide | 65 | 13 | 14 | 700 | Nonce verification recommended | ||
| #5292 | HTACCESS IP Blocker | 65 | 5 | 14 | 2k+ | Missing nonce verification | ||
| #5293 | WP All Import – Import SEO Settings for All In One SEO | 65 | 19 | 11 | 900 | Output is not escaped | ||
| #5294 | Bitrix24 | 65 | 28 | 10 | 500 | Text Domain Mismatch | ||
| #5295 | Multi Image Metabox | 65 | 17 | 8 | 7k+ | Output is not escaped | ||
| #5296 | MW WP Form reCAPTCHA | 65 | 11 | 14 | 2k+ | Input is not sanitized | ||
| #5297 | Product Image and Video Gallery Slider for WooCommerce | 65 | 13 | 7 | 700 | Output is not escaped | ||
| #5298 | QR Code Composer – Automatic QR Code Generator | 65 | 33 | 2 | 3k+ | Output is not escaped | ||
| #5299 | Read More Excerpt Link | 65 | 19 | 8 | 3k+ | Output is not escaped | ||
| #5300 | Reading progressbar | 65 | 25 | 2 | 6k+ | Output is not escaped |