WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5651 | Product Category Dropdowns | 73 | 19 | 3 | 900 | Output is not escaped | ||
| #5652 | Remove Taxonomy URL | 73 | 17 | 16 | 1k+ | Output is not escaped | ||
| #5653 | RPS Include Content | 73 | 13 | 2 | 700 | Output is not escaped | ||
| #5654 | Server-Side Cache AutoPurge | 73 | 16 | 17 | 10k+ | Text Domain Mismatch | ||
| #5655 | Simple Image Popup | 73 | 21 | 5 | 1k+ | Output is not escaped | ||
| #5656 | Theme Inspector | 73 | 23 | 7 | 400 | Output is not escaped | ||
| #5657 | Timeline Express – No Icons Add-On | 73 | 10 | 9 | 700 | Output is not escaped | ||
| #5658 | Under Construction Light | 73 | 13 | 8 | 1k+ | Text Domain Mismatch | ||
| #5659 | Pedido Mínimo para WooCommerce | 73 | 8 | 14 | 1k+ | Nonce verification recommended | ||
| #5660 | WC Order Test | 73 | 8 | 9 | 6k+ | Output is not escaped | ||
| #5661 | WPWaterMark 轻水印插件 | 73 | 24 | 17 | 1k+ | Request data is not unslashed | ||
| #5662 | Zoho SalesIQ – Live chat, chatbots, and visitor tracking | 73 | 11 | 9 | 20k+ | Input is not validated | ||
| #5663 | Advanced Custom Fields: Accordion Tab Field | 74 | 14 | 11 | 800 | Missing Version | ||
| #5664 | Advanced Custom Fields: Archive Templates | 74 | 11 | 7 | 900 | Output is not escaped | ||
| #5665 | ACF Columns | 74 | 47 | 4 | 4k+ | Text Domain Mismatch | ||
| #5666 | Admin Columns for ACF Fields | 74 | 7 | 8 | 9k+ | Output is not escaped | ||
| #5667 | Advanced Custom Fields: Widget Area Field | 74 | 29 | 4 | 400 | Text Domain Mismatch | ||
| #5668 | AffiliateWP – Sign Up Bonus | 74 | 46 | 13 | 400 | Text Domain Mismatch | ||
| #5669 | Append Link on Copy | 74 | 23 | 5 | 800 | Output is not escaped | ||
| #5670 | Bangla Date Display | 74 | 44 | 7 | 4k+ | Text Domain Mismatch | ||
| #5671 | Boxy WooCommerce Custom Redirect After Checkout | 74 | 27 | 8 | 700 | badly named files | ||
| #5672 | BP xProfile Location | 74 | 7 | 24 | 600 | Missing nonce verification | ||
| #5673 | Buy Now Button for WooCommerce | 74 | 9 | 11 | 2k+ | Nonce verification recommended | ||
| #5674 | Calculation For Contact Form 7 | 74 | 21 | 5 | 1k+ | Text Domain Mismatch | ||
| #5675 | Signature Field For Contact Form 7 – CF7Sign | 74 | 9 | 12 | 700 | Missing Translators Comment | ||
| #5676 | Clean WP Admin Menu | 74 | 19 | 13 | 600 | Non Singular String Literal Domain | ||
| #5677 | Code Snippet DM | 74 | 21 | 2 | 500 | Output is not escaped | ||
| #5678 | Comment Approved Notifier Extended | 74 | 5 | 10 | 500 | Output is not escaped | ||
| #5679 | Custom Icons for Elementor and WPBakery | 74 | 35 | 38 | 10k+ | Non-prefixed global variable | ||
| #5680 | Duplicate Taxonomy Term | 74 | 9 | 5 | 2k+ | Nonce verification recommended | ||
| #5681 | Duplicate Widget | 74 | 17 | 0 | 1k+ | Output is not escaped | ||
| #5682 | Dynamic Conditions | 74 | 42 | 3 | 60k+ | Missing Arg Domain | ||
| #5683 | Edit Author Slug | 74 | 5 | 8 | 100k+ | Output is not escaped | ||
| #5684 | Contact Form 7 Email Validation | 74 | 8 | 10 | 1k+ | Input is not validated | ||
| #5685 | Fast Speed Index | 74 | 9 | 12 | 500 | Direct Query | ||
| #5686 | Formidable Honeypot | 74 | 10 | 6 | 400 | Text Domain Mismatch | ||
| #5687 | Google Web Fonts Customizer (GWFC) | 74 | 48 | 4 | 900 | Text Domain Mismatch | ||
| #5688 | Gravity Forms Multi Currency | 74 | 6 | 12 | 400 | Output is not escaped | ||
| #5689 | Highlight and Share – Unobtrusive and Lightweight Content Sharing | 74 | 12 | 115 | 800 | Non-prefixed hook name | ||
| #5690 | Live Custom CSS JS Code Editor | 74 | 18 | 4 | 400 | Output is not escaped | ||
| #5691 | Markup Markdown | 74 | 18 | 128 | 2k+ | Non-prefixed global variable | ||
| #5692 | Multiple Admin Email Addresses | 74 | 7 | 4 | 1k+ | Missing nonce verification | ||
| #5693 | Elements For Elementor | 74 | 39 | 37 | 10k+ | Non-prefixed global variable | ||
| #5694 | Image Gallery | 74 | 8 | 11 | 4k+ | Nonce verification recommended | ||
| #5695 | Outfunnel: Web Visitor Tracking & CRM Integration | 74 | 34 | 9 | 600 | Short PHP open tag found | ||
| #5696 | Post Carousel for DV Builder | 74 | 152 | 9 | 2k+ | Text Domain Mismatch | ||
| #5697 | Post Grid Addon for Elementor | 74 | 16 | 13 | 10k+ | Missing direct file access protection | ||
| #5698 | Post My CF7 Form | 74 | 21 | 168 | 2k+ | Non-prefixed global variable | ||
| #5699 | Product Layouts for WooCommerce | 74 | 5 | 75 | 1k+ | Direct Query | ||
| #5700 | WP All Import – Property Import for RealHomes | 74 | 17 | 12 | 700 | Output is not escaped |