WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5651Product Category Dropdowns73193900Output is not escaped
#5652Remove Taxonomy URL7317161k+Output is not escaped
#5653RPS Include Content73132700Output is not escaped
#5654Server-Side Cache AutoPurge73161710k+Text Domain Mismatch
#5655Simple Image Popup732151k+Output is not escaped
#5656Theme Inspector73237400Output is not escaped
#5657Timeline Express – No Icons Add-On73109700Output is not escaped
#5658Under Construction Light731381k+Text Domain Mismatch
#5659Pedido Mínimo para WooCommerce738141k+Nonce verification recommended
#5660WC Order Test73896k+Output is not escaped
#5661WPWaterMark 轻水印插件7324171k+Request data is not unslashed
#5662Zoho SalesIQ – Live chat, chatbots, and visitor tracking7311920k+Input is not validated
#5663Advanced Custom Fields: Accordion Tab Field741411800Missing Version
#5664Advanced Custom Fields: Archive Templates74117900Output is not escaped
#5665ACF Columns744744k+Text Domain Mismatch
#5666Admin Columns for ACF Fields74789k+Output is not escaped
#5667Advanced Custom Fields: Widget Area Field74294400Text Domain Mismatch
#5668AffiliateWP – Sign Up Bonus744613400Text Domain Mismatch
#5669Append Link on Copy74235800Output is not escaped
#5670Bangla Date Display744474k+Text Domain Mismatch
#5671Boxy WooCommerce Custom Redirect After Checkout74278700badly named files
#5672BP xProfile Location74724600Missing nonce verification
#5673Buy Now Button for WooCommerce749112k+Nonce verification recommended
#5674Calculation For Contact Form 7742151k+Text Domain Mismatch
#5675Signature Field For Contact Form 7 – CF7Sign74912700Missing Translators Comment
#5676Clean WP Admin Menu741913600Non Singular String Literal Domain
#5677Code Snippet DM74212500Output is not escaped
#5678Comment Approved Notifier Extended74510500Output is not escaped
#5679Custom Icons for Elementor and WPBakery74353810k+Non-prefixed global variable
#5680Duplicate Taxonomy Term74952k+Nonce verification recommended
#5681Duplicate Widget741701k+Output is not escaped
#5682Dynamic Conditions7442360k+Missing Arg Domain
#5683Edit Author Slug7458100k+Output is not escaped
#5684Contact Form 7 Email Validation748101k+Input is not validated
#5685Fast Speed Index74912500Direct Query
#5686Formidable Honeypot74106400Text Domain Mismatch
#5687Google Web Fonts Customizer (GWFC)74484900Text Domain Mismatch
#5688Gravity Forms Multi Currency74612400Output is not escaped
#5689Highlight and Share – Unobtrusive and Lightweight Content Sharing7412115800Non-prefixed hook name
#5690Live Custom CSS JS Code Editor74184400Output is not escaped
#5691Markup Markdown74181282k+Non-prefixed global variable
#5692Multiple Admin Email Addresses74741k+Missing nonce verification
#5693Elements For Elementor74393710k+Non-prefixed global variable
#5694Image Gallery748114k+Nonce verification recommended
#5695Outfunnel: Web Visitor Tracking & CRM Integration74349600Short PHP open tag found
#5696Post Carousel for DV Builder7415292k+Text Domain Mismatch
#5697Post Grid Addon for Elementor74161310k+Missing direct file access protection
#5698Post My CF7 Form74211682k+Non-prefixed global variable
#5699Product Layouts for WooCommerce745751k+Direct Query
#5700WP All Import – Property Import for RealHomes741712700Output is not escaped