WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5501 | Add Widget After Content | 70 | 6 | 11 | 7k+ | Setting is missing a sanitization callback | ||
| #5502 | In-feed ads for Google AdSense | 70 | 20 | 20 | 6k+ | Non-prefixed global variable | ||
| #5503 | Ambrosite Next/Previous Page Link Plus | 70 | 11 | 21 | 900 | Interpolated SQL is not prepared | ||
| #5504 | Animentor – Lottie & Bodymovin for Elementor | 70 | 18 | 8 | 4k+ | Output is not escaped | ||
| #5505 | AppScenic – Smart AI Dropshipping | 70 | 16 | 41 | 3k+ | Dynamic hook name | ||
| #5506 | Private Store for WooCommerce B2B & Wholesale by B2BKing | 70 | 86 | 8 | 600 | Text Domain Mismatch | ||
| #5507 | BestPrice Analytics Integration | 70 | 35 | 10 | 1k+ | Text Domain Mismatch | ||
| #5508 | Checkfront Online Booking System | 70 | 32 | 16 | 2k+ | wp function not compatible with requires wp | ||
| #5509 | Comment Form CSRF Protection | 70 | 7 | 10 | 500 | Request data is not unslashed | ||
| #5510 | Comment Form Js Validation | 70 | 23 | 8 | 2k+ | Missing Arg Domain | ||
| #5511 | ConvertCalculator: Build Cost, Price, Quotation, ROI Interactive Calculators | 70 | 9 | 12 | 800 | Output is not escaped | ||
| #5512 | Custom Currency for WooCommerce | 70 | 63 | 5 | 2k+ | Missing direct file access protection | ||
| #5513 | Easy Hotel – Powerful Hotel Booking | 70 | 4 | 1,900 | 800 | Non-prefixed global variable | ||
| #5514 | Embed Code – Headers & Footers by DesignBombs | 70 | 19 | 5 | 4k+ | Output is not escaped | ||
| #5515 | Ghost | 70 | 25 | 12 | 600 | Output is not escaped | ||
| #5516 | Host Header Injection Fix | 70 | 9 | 8 | 400 | Output is not escaped | ||
| #5517 | Library | 70 | 14 | 3 | 700 | Output is not escaped | ||
| #5518 | Xpro Slider For Beaver Builder – Lite | 70 | 147 | 13 | 500 | Text Domain Mismatch | ||
| #5519 | Multipart robots.txt editor | 70 | 19 | 8 | 1k+ | Output is not escaped | ||
| #5520 | Shipping Notices and No shipping options found info for WooCommerce | 70 | 9 | 18 | 400 | Non-prefixed global variable | ||
| #5521 | onepay Payment Gateway For WooCommerce | 70 | 49 | 13 | 900 | Text Domain Mismatch | ||
| #5522 | PipraPay Gateway | 70 | 11 | 6 | 400 | Output is not escaped | ||
| #5523 | Portfolio Post Type | 70 | 7 | 11 | 50k+ | Nonce verification recommended | ||
| #5524 | Purchased Items Column for WooCommerce Orders | 70 | 10 | 8 | 800 | Output is not escaped | ||
| #5525 | Remove Taxonomy Base Slug | 70 | 12 | 18 | 5k+ | Deprecated parameter: get_terms parameter 2 | ||
| #5526 | Ridhi Companion | 70 | 37 | 38 | 500 | Non-prefixed global variable | ||
| #5527 | RSS Importer | 70 | 14 | 2 | 30k+ | Output is not escaped | ||
| #5528 | Show-Hide / Collapse-Expand | 70 | 18 | 15 | 10k+ | Missing direct file access protection | ||
| #5529 | Show IP address | 70 | 6 | 20 | 1k+ | Input is not sanitized | ||
| #5530 | Simple Site Verify | 70 | 20 | 0 | 900 | Output is not escaped | ||
| #5531 | Simple Sticky Header on Scroll | 70 | 31 | 8 | 900 | Output is not escaped | ||
| #5532 | Smart WYSIWYG Blocks Of Content | 70 | 36 | 4 | 1k+ | Output is not escaped | ||
| #5533 | SQL Executioner | 70 | 18 | 17 | 2k+ | Non-prefixed global variable | ||
| #5534 | Stitch Express | 70 | 10 | 6 | 400 | Output is not escaped | ||
| #5535 | SubHeading | 70 | 22 | 13 | 1k+ | Non Singular String Literal Domain | ||
| #5536 | Support Me | 70 | 12 | 6 | 900 | Unsafe printing function | ||
| #5537 | Today's Date Inserter | 70 | 32 | 1 | 700 | Output is not escaped | ||
| #5538 | TP Product Image Flipper for WooCommerce | 70 | 17 | 15 | 9k+ | Non-prefixed function | ||
| #5539 | WEBKINDER Integration for Google Analytics and Google Tag Manager | 70 | 15 | 22 | 10k+ | Output is not escaped | ||
| #5540 | Quick Buy For Woocommerce | 70 | 105 | 22 | 1k+ | Text Domain Mismatch | ||
| #5541 | WP Image Borders | 70 | 47 | 6 | 2k+ | Text Domain Mismatch | ||
| #5542 | Post Template | 70 | 12 | 11 | 400 | Missing nonce verification | ||
| #5543 | WPThumb | 70 | 30 | 9 | 800 | Output is not escaped | ||
| #5544 | Download Manager Addons for Elementor | 70 | 272 | 13 | 6k+ | Non Singular String Literal Domain | ||
| #5545 | Yampi Checkout | 70 | 6 | 10 | 900 | Nonce verification recommended | ||
| #5546 | Web Accessibility with Max Access | 71 | 22 | 11 | 800 | curl curl setopt | ||
| #5547 | ACF Enhanced Message Field | 71 | 29 | 1 | 600 | Text Domain Mismatch | ||
| #5548 | Advanced Custom Fields: Price Field | 71 | 12 | 7 | 400 | Output is not escaped | ||
| #5549 | ACF Tooltip | 71 | 16 | 3 | 1k+ | Output is not escaped | ||
| #5550 | Add Any Extension to Pages | 71 | 3 | 10 | 2k+ | Input is not sanitized |