WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5701Post Carousel for DV Builder7415292k+Text Domain Mismatch
#5702Post Grid Addon for Elementor74161310k+Missing direct file access protection
#5703Post My CF7 Form74211682k+Non-prefixed global variable
#5704Product Layouts for WooCommerce745751k+Direct Query
#5705WP All Import – Property Import for RealHomes741712700Output is not escaped
#5706Resume Builder7420591k+Non-prefixed global variable
#5707Scroll to Top Button741641k+Output is not escaped
#5708Security Headers7431113k+Deprecated parameter: unregister_setting parameter 3
#5709Show Pages IDs748810k+Output is not escaped
#5710Simple Scroll To Top WP742451k+Output is not escaped
#5711Simple Slug Translate743231k+Non Singular String Literal Domain
#5712Simply Excerpts74121500Setting is missing a sanitization callback
#5713Email Deliverability – SMTP Replacement, Email API Deliverability & Email Log74823200k+Output is not escaped
#5714Sticky Custom Post Types74150500Missing Arg Domain
#5715Change Storefront Footer Copyright Text7471214k+Text Domain Mismatch
#5716Extra Shipping Rates for WooCommerce741519800Non-prefixed global variable
#5717Widgets in Menu for WordPress7416128k+Text Domain Mismatch
#5718WP Cron HTTP Auth741271k+Output is not escaped
#5719Force Login745830k+Output is not escaped
#5720WP Revisions Limit741614800Missing Arg Domain
#5721WP Term Colors74313700Nonce verification recommended
#5722Zion Builder – Website Builder for Speed & Creativity744291k+Non-prefixed hook name
#5723Accordion Shortcode75170400Output is not escaped
#5724Acumbamail757361k+Non-prefixed global variable
#5725Admin Locale7512107k+Missing Arg Domain
#5726Anchor Episodes Index (Spotify for Podcasters)753231k+Text Domain Mismatch
#5727Beacon Lead Magnets and Lead Capture75825500Nonce verification recommended
#5728blueimp lightbox751921k+Output is not escaped
#5729Bulk Comments Management75625700Direct Query
#5730Canvas Image Resize751911k+Output is not escaped
#5731chat-me-now751554k+Output is not escaped
#5732Cognito Forms751342k+wp function not compatible with requires wp
#5733Colored Admin Post List7580500Heredoc Output Not Escaped
#5734Conditional Logic Emails, Fields, Redirect for Elementor Forms75312312k+wp function not compatible with requires wp
#5735Custom field finder75932k+Output is not escaped
#5736Customize Twenty Seventeen7533192k+Text Domain Mismatch
#5737Customize Twenty Sixteen753211500Text Domain Mismatch
#5738Delay Redirects7558900Request data is not unslashed
#5739En Spam75216500wp function not compatible with requires wp
#5740Eventin Addons for Divi Builder75617800Nonce verification recommended
#5741FareHarbor for WordPress751899k+Output is not escaped
#5742Force First and Last Name as Display Name755122k+Missing nonce verification
#5743Gradient Button for Elementor751642k+Output is not escaped
#5744Hum7582600wp function not compatible with requires wp
#5745List all URLs75855k+Missing nonce verification
#5746Open Graph Protocol Framework7517123k+Missing direct file access protection
#5747Options Framework7585610k+Non-prefixed function
#5748PJ News Ticker7513143k+Output is not escaped
#5749Post Type Switcher75318200k+Direct Query
#5750Logos Reftagger75121510k+Deprecated parameter: add_option parameter 3