WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5401WPC Show Single Variations for WooCommerce675311k+Nonce verification recommended
#5402ACF: Yandex Maps Field687310800Text Domain Mismatch
#5403Auto Image Title & Alt68134400Missing direct file access protection
#5404Autoclear Autoptimize Cache681638k+Output is not escaped
#5405Book Previewer for Woocommerce6823401k+Non-prefixed global variable
#5406Category Featured Images68512600Input is not sanitized
#5407Collapsing Categories682984k+Missing direct file access protection
#5408Comment Approved68614500Input is not sanitized
#5409Controls for Contact Form 7 (Redirects, Analytics & Tracking)6841410k+Missing nonce verification
#5410ConvertBox Auto Embed WordPress plugin6818105k+Missing direct file access protection
#5411Content Security Policy Manager681922k+Output is not escaped
#5412Default Attributes for WooCommerce682218400Non-prefixed hook name
#5413Exchange Rates Today68910400Non-prefixed function
#5414Expire Sticky Posts681681k+Text Domain Mismatch
#5415Faire for WooCommerce68486800Direct Query
#5416Fatal Error Notify6810126k+Request data is not unslashed
#5417Featured Video for WooCommerce684013700Text Domain Mismatch
#5418WCAG 2.0 form fields for Gravity Forms6811135k+Output is not escaped
#5419Guestplan Booking Widget684361k+Text Domain Mismatch
#5420Logo Switcher68142800Output is not escaped
#5421Mailster Contact Form 76835201k+Text Domain Mismatch
#5422ミエルカヒートマップ タグマネージャー68911800Input is not validated
#5423News Magazine X Core6863305k+Missing Translators Comment
#5424One Stop Shop for WooCommerce68238310k+Input is not sanitized
#5425PagBank for WooCommerce688363k+Input is not sanitized
#5426Pinterest Verify Meta Tag68206600Output is not escaped
#5427Hide Title68136900Output is not escaped
#5428Postepay Gateway per Woocommerce683641k+Text Domain Mismatch
#5429Custom Form Builder, Contact Forms, Payment Forms, Surveys, Polls682118900Output is not escaped
#5430Protection Against DDoS682253k+Output is not escaped
#5431Reusable Gutenberg Blocks Widget68249500Output is not escaped
#5432Russian Post and EMS for WooCommerce6816471k+Non-prefixed global variable
#5433Series685562k+Text Domain Mismatch
#5434SF Author Url Control682941k+Output is not escaped
#5435Shiptastic Integration for DHL68543610k+Missing Translators Comment
#5436Slim Maintenance Mode6891010k+Output is not escaped
#5437Smartarget – Chat Buttons & Engagement Apps6831111k+Non Singular String Literal Domain
#5438Sortable Word Count Reloaded681862k+Output is not escaped
#5439Title Toggle for Storefront Theme681693k+Output is not escaped
#5440Template List Metabox681410900Missing Arg Domain
#5441Increase Maximum Upload File Size68281440k+Missing Arg Domain
#5442Video Tab For WooCommerce68713600Missing nonce verification
#5443WiserReview Product Reviews for WooCommerce6821110900Non-prefixed global variable
#5444Product Category Slider for WooCommerce6821104800Non-prefixed hook name
#5445WP and Divi Icons68201562k+wp function not compatible with requires wp
#5446WP Favicon68259500Non Singular String Literal Domain
#5447WP Smart Preloader6827105k+Output is not escaped
#5448WP Theme Changelogs681318900Nonce verification recommended
#5449WP User Avatars6852020k+Input is not sanitized
#5450YaySwatches – Variation Swatches for WooCommerce68281141k+Text Domain Mismatch