WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5251New Recent Posts Select Categories By Thao Marky64331500Text Domain Mismatch
#5252Nofollow for external link648510k+Output is not escaped
#5253Page in Widget642601k+Output is not escaped
#5254Page Tag Cloud64213500Output is not escaped
#5255Pageviews6415121k+Missing Translators Comment
#5256PHP Code Widget6422180k+Output is not escaped
#5257Retrigger Notifications Gravity Forms645581k+Text Domain Mismatch
#5258Send From64518500Input is not sanitized
#5259Simple HTTPS Redirect64195900Output is not escaped
#5260Click to Call Button645831k+Output is not escaped
#5261SMK Sidebar Generator6419510k+Output is not escaped
#5262Stag Custom Sidebars6410122k+Text Domain Mismatch
#5263Oceanwp sticky header6481310k+Missing nonce verification
#5264Thumbnail Crop Position644312k+Output is not escaped
#5265TP Show Product Images on Checkout Page for WooCommerce64165500Setting is missing a sanitization callback
#5266Twitter6427239k+Missing Translators Comment
#5267WProofreader spell & grammar check plugin for WordPress6412434k+Non-prefixed global variable
#5268Werk aan de Muur644820900Non Singular String Literal Domain
#5269WP Login Door641911400Output is not escaped
#5270WP Term Order642266k+Nonce verification recommended
#5271WPC Shop as a Customer for WooCommerce64538400Request data is not unslashed
#5272YaMaps for WordPress Plugin64213010k+Non-prefixed global variable
#5273Яндекс.ПДС Пингер / Yandex Site search pinger64215800Output is not escaped
#5274ACF: Sidebar Selector65272800Output is not escaped
#5275Banner Upload65364500Output is not escaped
#5276Contact Form 7 – Success Page Redirects6551510k+Input is not sanitized
#5277Creta Testimonial Showcase6528413k+Non-prefixed global variable
#5278Custom Global Variables6514125k+Output is not escaped
#5279Custom Product Tabs for WooCommerce WP All Import Add-on6518181k+Non-prefixed global variable
#5280Custom Share Buttons with Floating Sidebar65164204k+Text Domain Mismatch
#5281Cyr to Lat Reloaded – Transliteration of Links and File Names65133630k+Direct Query
#5282Dashboard Directory Size65329400Missing Arg Domain
#5283Disable REST API65121590k+Output is not escaped
#5284Dojo for WooCommerce657113800Text Domain Mismatch
#5285QRCode652139400Non-prefixed constant
#5286Easy Twitter Feed Widget Plugin65901510k+Text Domain Mismatch
#5287EDD Hide Download651313600Output is not escaped
#5288Live Chat with Messenger Customer Chat6510233k+Input is not sanitized
#5289Featured Galleries6515103k+Output is not escaped
#5290Futy.io Leadbots657392k+wp function not compatible with requires wp
#5291Genesis Visual Hook Guide651314700Nonce verification recommended
#5292HTACCESS IP Blocker655142k+Missing nonce verification
#5293WP All Import – Import SEO Settings for All In One SEO651911900Output is not escaped
#5294Bitrix24652810500Text Domain Mismatch
#5295Multi Image Metabox651787k+Output is not escaped
#5296MW WP Form reCAPTCHA6511142k+Input is not sanitized
#5297Product Image and Video Gallery Slider for WooCommerce65137700Output is not escaped
#5298QR Code Composer – Automatic QR Code Generator653323k+Output is not escaped
#5299Read More Excerpt Link651983k+Output is not escaped
#5300Reading progressbar652526k+Output is not escaped