WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5601RiskPay Gateway: USDC Payouts for WooCommerce72202700Output is not escaped
#5602Robots.txt Editor7210710k+Input is not validated or sanitized
#5603Simple Local Avatars721416100k+Non-prefixed constant
#5604Smartwaiver Waiver Widget72178400Output is not escaped
#5605Social Media Icons Widget72181101k+badly named files
#5606Storefront Product Sharing721334k+Output is not escaped
#5607Tabs Widget for Page Builder722273k+Text Domain Mismatch
#5608Tiny Yardage Calculator72231300Output is not escaped
#5609Ultimate Member Custom Tab Builder Lite721215500Output is not escaped
#5610Video Backgrounds for SiteOrigin Page Builder725552k+Text Domain Mismatch
#5611Waymark721632900Missing direct file access protection
#5612Product Subtitle For WooCommerce726363k+Non-prefixed namespace
#5613Webyx for Gutenberg – Fullpage Fullscreen Scrolling Websites721411600Output is not escaped
#5614Customizer for WooCommerce721013800Nonce verification recommended
#5615ShinyStat Widget72142800Output is not escaped
#5616Advanced Custom Fields – Widget Relationship Field add-on73187500Output is not escaped
#5617AffiliateWP – Allowed Products7347191k+Text Domain Mismatch
#5618Albacross for WordPress731851k+Text Domain Mismatch
#5619ANAC XML Viewer732111k+Output is not escaped
#5620AADMY – Add Auto Date Month Year Into Posts733032400Non-prefixed function
#5621Bestfreebie Elementor Icons732713400Text Domain Mismatch
#5622Block Plugin Update739106k+Missing direct file access protection
#5623BuddyPress Activity Shortcode739142k+Non-prefixed hook name
#5624Clone Woo Orders – Free by WP Masters73138900Output is not escaped
#5625Conditionally display featured image on singular posts and pages7317630k+Output is not escaped
#5626Contact Form to Brevo7367111k+Text Domain Mismatch
#5627Contact Form7: Autocomplete73278500Text Domain Mismatch
#5628Custom Datepicker NMR734121k+Missing Version
#5629Emergency password reset735614800wp function not compatible with requires wp
#5630Export Media Library735530k+Output is not escaped
#5631Export Plugin Details731362k+Output is not escaped
#5632Force Password Change73410400Missing nonce verification
#5633Freetobook Responsive Widget73514500Input is not sanitized
#5634Genesis Widget Column Classes734145k+Non Singular String Literal Domain
#5635Gravity Fieldset for Gravity Forms73141900Output is not escaped
#5636Hide WP Toolbar734131k+trademarked term
#5637Infinite Notification – Sales Notification Plugin73135500Setting is missing a sanitization callback
#5638jQuery Lightbox For Native Galleries732675k+Text Domain Mismatch
#5639Meks Easy Ads Widget7321910k+Output is not escaped
#5640Meta Description7359400Input is not validated
#5641Multifile Upload Field for Contact Form 7734175k+Text Domain Mismatch
#5642My Simple Space732138k+Output is not escaped
#5643Weight zone shipping for WooCommerce7325131k+Missing Translators Comment
#5644Osom Modal Login734012400Text Domain Mismatch
#5645PDF viewer for Elementor & Gutenberg73141210k+Nonce verification recommended
#5646Website Optimization – Plerdy734811k+wp function not compatible with requires wp
#5647Plugin Groups7316121k+Non Singular String Literal Domain
#5648POKY – Product Importer73612700Input is not validated
#5649Popup for Contact Form 773137800Setting is missing a sanitization callback
#5650Product Bundles – Bulk Discounts73317600Text Domain Mismatch