WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5301 | SocketLabs | 65 | 15 | 18 | 900 | Output is not escaped | ||
| #5302 | T4B News Ticker – Responsive News Scroller, Slider, and Animations | 65 | 20 | 10 | 7k+ | Output is not escaped | ||
| #5303 | User Last Login | 65 | 27 | 5 | 600 | Output is not escaped | ||
| #5304 | Lime Connect (formerly Userlike) – WordPress Live Chat plugin | 65 | 22 | 3 | 900 | Output is not escaped | ||
| #5305 | Vf Expansion | 65 | 58 | 52 | 1k+ | Non-prefixed global variable | ||
| #5306 | VK Link Target Controller | 65 | 13 | 10 | 30k+ | Output is not escaped | ||
| #5307 | Websitescanner Custom Schema | 65 | 28 | 19 | 600 | wp function not compatible with requires wp | ||
| #5308 | Add to Cart Text Changer and Customize Button, Add Custom Icon | 65 | 87 | 18 | 2k+ | Text Domain Mismatch | ||
| #5309 | USPS Simple Shipping for Woocommerce | 65 | 20 | 11 | 8k+ | Exception output is not escaped | ||
| #5310 | AI Product Gallery Slider for WooCommerce, Product Image Zoom, Product Video, Additional Variation Images Gallery – WPBean | 65 | 264 | 16 | 2k+ | Text Domain Mismatch | ||
| #5311 | WP Change Default From Email | 65 | 51 | 7 | 10k+ | Non Singular String Literal Domain | ||
| #5312 | WP Max Submit Protect | 65 | 19 | 12 | 400 | Output is not escaped | ||
| #5313 | WP SEO HTML Sitemap | 65 | 22 | 15 | 6k+ | Output is not escaped | ||
| #5314 | WPC Free Gift Coupons for WooCommerce | 65 | 8 | 25 | 400 | Non-prefixed class | ||
| #5315 | ACF RGBA Color Picker | 66 | 37 | 3 | 6k+ | Text Domain Mismatch | ||
| #5316 | ACF: Rus-To-Lat | 66 | 15 | 11 | 2k+ | Output is not escaped | ||
| #5317 | Password Reset with Code for WordPress REST API | 66 | 24 | 8 | 900 | Exception output is not escaped | ||
| #5318 | Black Ribbon | 66 | 29 | 5 | 500 | Output is not escaped | ||
| #5319 | Social comments by WpDevArt | 66 | 9 | 19 | 8k+ | Missing Version | ||
| #5320 | Cookie Warning | 66 | 14 | 15 | 700 | Non-prefixed function | ||
| #5321 | Custom Author Byline | 66 | 11 | 8 | 500 | Output is not escaped | ||
| #5322 | Custom Login Page Templates – Change Logo, Background and CSS | 66 | 25 | 5 | 2k+ | Missing Arg Domain | ||
| #5323 | Custom Posts Per Page | 66 | 20 | 2 | 900 | Unsafe printing function | ||
| #5324 | Custom Posts Per Page Reloaded | 66 | 40 | 3 | 700 | Text Domain Mismatch | ||
| #5325 | No Right Click, Content Copy Protection, Disable Right Click by RB | 66 | 23 | 2 | 600 | Unsafe printing function | ||
| #5326 | Elementic | 66 | 22 | 9 | 900 | Text Domain Mismatch | ||
| #5327 | Estatik Mortgage Calculator | 66 | 22 | 6 | 1k+ | Output is not escaped | ||
| #5328 | Export Categories | 66 | 22 | 13 | 1k+ | Output is not escaped | ||
| #5329 | Hide Title | 66 | 13 | 6 | 30k+ | Output is not escaped | ||
| #5330 | HiFi (Head Injection, Foot Injection) | 66 | 13 | 11 | 2k+ | Output is not escaped | ||
| #5331 | Icon Widget | 66 | 14 | 9 | 4k+ | Output is not escaped | ||
| #5332 | IranDargah Payment Gateway for Woocommerce | 66 | 66 | 26 | 400 | Text Domain Mismatch | ||
| #5333 | Free Property Valuation (Lead Generator) / Kostenlose Immobilienbewertung | 66 | 11 | 5 | 600 | Unsafe printing function | ||
| #5334 | LeadBack – Callback, Chatbot and Live Chat Widgets for WordPress sites | 66 | 17 | 5 | 600 | Unsafe printing function | ||
| #5335 | Link Widget Title | 66 | 22 | 5 | 4k+ | Output is not escaped | ||
| #5336 | PopBox For Elementor | 66 | 31 | 9 | 3k+ | Output is not escaped | ||
| #5337 | Page Title Splitter | 66 | 29 | 8 | 1k+ | wp function not compatible with requires wp | ||
| #5338 | Page Meta | 66 | 26 | 14 | 700 | Missing Arg Domain | ||
| #5339 | Plugin Compatibility Checker | 66 | 73 | 18 | 9k+ | Text Domain Mismatch | ||
| #5340 | Product Size Chart For WooCommerce | 66 | 9 | 22 | 6k+ | Non-prefixed hook name | ||
| #5341 | Mailchimp Widget by ProteusThemes | 66 | 17 | 9 | 1k+ | Output is not escaped | ||
| #5342 | Raw HTML | 66 | 17 | 35 | 10k+ | Non-prefixed function | ||
| #5343 | Really Simple CSV Importer | 66 | 38 | 8 | 40k+ | Output is not escaped | ||
| #5344 | Seed Fonts | 66 | 29 | 11 | 20k+ | Output is not escaped | ||
| #5345 | Shortcode for Current Date | 66 | 27 | 12 | 10k+ | Text Domain Mismatch | ||
| #5346 | TAO Schedule Update | 66 | 37 | 11 | 2k+ | Text Domain Mismatch | ||
| #5347 | User Profile Picture | 66 | 9 | 8 | 4k+ | Missing nonce verification | ||
| #5348 | Visual Link Preview | 66 | 47 | 2 | 10k+ | Output is not escaped | ||
| #5349 | Frenet Shipping Gateway for WooCommerce – Correios, Etiquetas e Rastreio | 66 | 22 | 31 | 4k+ | Non-prefixed global variable | ||
| #5350 | WooCommerce Accepted Payment Methods | 66 | 28 | 4 | 2k+ | badly named files |