WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5351WP Scroll Depth662991k+Output is not escaped
#5352WP Term Images664182k+Nonce verification recommended
#5353Video Popup for Elementor – WPTD6633131k+Output is not escaped
#5354Add Logo to Admin671436k+Unsafe printing function
#5355Address correction autocomplete for Woo671991k+Text Domain Mismatch
#5356Affiliates Manager Google reCAPTCHA Integration671810400Request data is not unslashed
#5357Smart Related Products – AI-Inspired Recommendations for WooCommerce6713151k+Output is not escaped
#5358Awesome Contact Form7 for Elementor6720307k+Non-prefixed global variable
#5359Breadcrumbs Divi Module67443810k+Text Domain Mismatch
#5360Caddy – WooCommerce Side Cart & Free Shipping Bar67381993k+Non-prefixed global variable
#5361Card Elements for Elementor67151163k+Non-prefixed global variable
#5362CCM19 Integration6714134k+Nonce verification recommended
#5363Custom CSS Pro671767k+Output is not escaped
#5364Custom Link Widget672801k+Output is not escaped
#5365Duplicate TEC Event671210900date date
#5366Easy Media Replace6716141k+Output is not escaped
#5367Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor67579810k+Non-prefixed global variable
#5368Forget Spam Comment6751010k+Input is not sanitized
#5369WordPress.com Editing Toolkit6752901k+Missing direct file access protection
#5370GravityExport Lite for Gravity Forms67481410k+Output is not escaped
#5371Hide Page And Post Title6711840k+Output is not escaped
#5372Hide Plugins677151k+Nonce verification recommended
#5373Kraken.io Image Optimizer – Compress, Convert to WebP & AVIF, Resize & Bulk Optimize67293809k+Text Domain Mismatch
#5374Leadster676104k+Non-prefixed function
#5375Mailster Gmail Integration6715131k+Missing Translators Comment
#5376Manage Upload Types67713400Output is not escaped
#5377Map Block Leaflet67527700Short PHP open tag found
#5378Meks Audio Player672571k+Output is not escaped
#5379MetaTag67713600Input is not validated
#5380Missed Schedule Post Publisher6711107k+Output is not escaped
#5381Notely67617600Non-prefixed function
#5382Per Page Sidebars671211900Input is not validated
#5383Product Specifications for Woocommerce6712801k+Non-prefixed global variable
#5384Safelayout Elegant Icons – WordPress icons67317700Input is not validated
#5385Shoutcast Icecast HTML5 Radio Player6717101k+Input is not validated
#5386Simple Calendar – Advanced Custom Fields67186400Output is not escaped
#5387Simple HTTPS671713400Output is not escaped
#5388Simple Membership Custom Messages674707k+Text Domain Mismatch
#5389Cart links for WooCommerce671316500Text Domain Mismatch
#5390WP Forms + Sprout Invoices – Easy Invoice & Quote Submissions674012400Text Domain Mismatch
#5391Text Expander675015600wp function not compatible with requires wp
#5392Theme Check67143620k+Missing Translators Comment
#5393Webyx for Elementor – Fullpage Fullscreen Scrolling Websites6768410500Non Singular String Literal Domain
#5394Widget Contact Form 7672221k+Output is not escaped
#5395Expand Tabs for WooCommerce6710571k+Non-prefixed global variable
#5396WP-Copyright-Protection672455k+wp function not compatible with requires wp
#5397JAMstack Deployments673331k+Short PHP open tag found
#5398WP Logout Redirect67205400Unsafe printing function
#5399WP Post Branches6716124k+Nonce verification recommended
#5400wp-Typography67913320k+Missing direct file access protection