WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5351 | WP Scroll Depth | 66 | 29 | 9 | 1k+ | Output is not escaped | ||
| #5352 | WP Term Images | 66 | 4 | 18 | 2k+ | Nonce verification recommended | ||
| #5353 | Video Popup for Elementor – WPTD | 66 | 33 | 13 | 1k+ | Output is not escaped | ||
| #5354 | Add Logo to Admin | 67 | 14 | 3 | 6k+ | Unsafe printing function | ||
| #5355 | Address correction autocomplete for Woo | 67 | 19 | 9 | 1k+ | Text Domain Mismatch | ||
| #5356 | Affiliates Manager Google reCAPTCHA Integration | 67 | 18 | 10 | 400 | Request data is not unslashed | ||
| #5357 | Smart Related Products – AI-Inspired Recommendations for WooCommerce | 67 | 13 | 15 | 1k+ | Output is not escaped | ||
| #5358 | Awesome Contact Form7 for Elementor | 67 | 20 | 30 | 7k+ | Non-prefixed global variable | ||
| #5359 | Breadcrumbs Divi Module | 67 | 44 | 38 | 10k+ | Text Domain Mismatch | ||
| #5360 | Caddy – WooCommerce Side Cart & Free Shipping Bar | 67 | 38 | 199 | 3k+ | Non-prefixed global variable | ||
| #5361 | Card Elements for Elementor | 67 | 15 | 116 | 3k+ | Non-prefixed global variable | ||
| #5362 | CCM19 Integration | 67 | 14 | 13 | 4k+ | Nonce verification recommended | ||
| #5363 | Custom CSS Pro | 67 | 17 | 6 | 7k+ | Output is not escaped | ||
| #5364 | Custom Link Widget | 67 | 28 | 0 | 1k+ | Output is not escaped | ||
| #5365 | Duplicate TEC Event | 67 | 12 | 10 | 900 | date date | ||
| #5366 | Easy Media Replace | 67 | 16 | 14 | 1k+ | Output is not escaped | ||
| #5367 | Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor | 67 | 57 | 98 | 10k+ | Non-prefixed global variable | ||
| #5368 | Forget Spam Comment | 67 | 5 | 10 | 10k+ | Input is not sanitized | ||
| #5369 | WordPress.com Editing Toolkit | 67 | 52 | 90 | 1k+ | Missing direct file access protection | ||
| #5370 | GravityExport Lite for Gravity Forms | 67 | 48 | 14 | 10k+ | Output is not escaped | ||
| #5371 | Hide Page And Post Title | 67 | 11 | 8 | 40k+ | Output is not escaped | ||
| #5372 | Hide Plugins | 67 | 7 | 15 | 1k+ | Nonce verification recommended | ||
| #5373 | Kraken.io Image Optimizer – Compress, Convert to WebP & AVIF, Resize & Bulk Optimize | 67 | 293 | 80 | 9k+ | Text Domain Mismatch | ||
| #5374 | Leadster | 67 | 6 | 10 | 4k+ | Non-prefixed function | ||
| #5375 | Mailster Gmail Integration | 67 | 15 | 13 | 1k+ | Missing Translators Comment | ||
| #5376 | Manage Upload Types | 67 | 7 | 13 | 400 | Output is not escaped | ||
| #5377 | Map Block Leaflet | 67 | 52 | 7 | 700 | Short PHP open tag found | ||
| #5378 | Meks Audio Player | 67 | 25 | 7 | 1k+ | Output is not escaped | ||
| #5379 | MetaTag | 67 | 7 | 13 | 600 | Input is not validated | ||
| #5380 | Missed Schedule Post Publisher | 67 | 11 | 10 | 7k+ | Output is not escaped | ||
| #5381 | Notely | 67 | 6 | 17 | 600 | Non-prefixed function | ||
| #5382 | Per Page Sidebars | 67 | 12 | 11 | 900 | Input is not validated | ||
| #5383 | Product Specifications for Woocommerce | 67 | 12 | 80 | 1k+ | Non-prefixed global variable | ||
| #5384 | Safelayout Elegant Icons – WordPress icons | 67 | 3 | 17 | 700 | Input is not validated | ||
| #5385 | Shoutcast Icecast HTML5 Radio Player | 67 | 17 | 10 | 1k+ | Input is not validated | ||
| #5386 | Simple Calendar – Advanced Custom Fields | 67 | 18 | 6 | 400 | Output is not escaped | ||
| #5387 | Simple HTTPS | 67 | 17 | 13 | 400 | Output is not escaped | ||
| #5388 | Simple Membership Custom Messages | 67 | 47 | 0 | 7k+ | Text Domain Mismatch | ||
| #5389 | Cart links for WooCommerce | 67 | 13 | 16 | 500 | Text Domain Mismatch | ||
| #5390 | WP Forms + Sprout Invoices – Easy Invoice & Quote Submissions | 67 | 40 | 12 | 400 | Text Domain Mismatch | ||
| #5391 | Text Expander | 67 | 50 | 15 | 600 | wp function not compatible with requires wp | ||
| #5392 | Theme Check | 67 | 143 | 6 | 20k+ | Missing Translators Comment | ||
| #5393 | Webyx for Elementor – Fullpage Fullscreen Scrolling Websites | 67 | 684 | 10 | 500 | Non Singular String Literal Domain | ||
| #5394 | Widget Contact Form 7 | 67 | 22 | 2 | 1k+ | Output is not escaped | ||
| #5395 | Expand Tabs for WooCommerce | 67 | 10 | 57 | 1k+ | Non-prefixed global variable | ||
| #5396 | WP-Copyright-Protection | 67 | 24 | 5 | 5k+ | wp function not compatible with requires wp | ||
| #5397 | JAMstack Deployments | 67 | 33 | 3 | 1k+ | Short PHP open tag found | ||
| #5398 | WP Logout Redirect | 67 | 20 | 5 | 400 | Unsafe printing function | ||
| #5399 | WP Post Branches | 67 | 16 | 12 | 4k+ | Nonce verification recommended | ||
| #5400 | wp-Typography | 67 | 91 | 33 | 20k+ | Missing direct file access protection |