WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5801 | CiviCRM Member Sync | 76 | 8 | 70 | 800 | Non-prefixed global variable | ||
| #5802 | Clear Cache Everywhere | 76 | 7 | 17 | 600 | Nonce verification recommended | ||
| #5803 | Custom Template for LearnDash | 76 | 7 | 9 | 1k+ | Non-prefixed hook name | ||
| #5804 | Dicode Icons Pack | 76 | 10 | 13 | 600 | Nonce verification recommended | ||
| #5805 | Disable Lazy Load | 76 | 8 | 6 | 400 | Non-prefixed constant | ||
| #5806 | Drip for WordPress | 76 | 11 | 7 | 2k+ | Missing direct file access protection | ||
| #5807 | Like Thumbnail | 76 | 13 | 8 | 1k+ | Output is not escaped | ||
| #5808 | Form to Chat App ⚡️ | 76 | 4 | 13 | 2k+ | Nonce verification recommended | ||
| #5809 | Lucky Orange | 76 | 56 | 0 | 2k+ | wp function not compatible with requires wp | ||
| #5810 | Admin Bookmarks | 76 | 30 | 4 | 500 | Text Domain Mismatch | ||
| #5811 | Ocean Posts Slider | 76 | 13 | 14 | 10k+ | Output is not escaped | ||
| #5812 | Page Loader | 76 | 9 | 4 | 3k+ | Missing Version | ||
| #5813 | ABC Crypto Checkout | 76 | 42 | 14 | 1k+ | Text Domain Mismatch | ||
| #5814 | PDF Flipbook Heyzine | 76 | 3 | 46 | 1k+ | Non-prefixed global variable | ||
| #5815 | Post Updated Date | 76 | 17 | 1 | 500 | Output is not escaped | ||
| #5816 | Preload Images | 76 | 8 | 6 | 1k+ | Output is not escaped | ||
| #5817 | Post UI Tabs | 76 | 55 | 4 | 400 | Non Singular String Literal Domain | ||
| #5818 | RS Template Builder For Elementor – Complete Control Over Headers, Footers & More | 76 | 11 | 56 | 1k+ | Post Not In exclude | ||
| #5819 | Siteready Coming Soon Under Construction | 76 | 6 | 30 | 3k+ | Non-prefixed global variable | ||
| #5820 | Smartideo | 76 | 8 | 3 | 1k+ | Output is not escaped | ||
| #5821 | Store file uploads for Contact Form 7 | 76 | 5 | 6 | 1k+ | Output is not escaped | ||
| #5822 | Super RSS Reader – Add attractive RSS Feed Widget | 76 | 24 | 5 | 10k+ | Output is not escaped | ||
| #5823 | TagPages | 76 | 13 | 4 | 1k+ | Missing Arg Domain | ||
| #5824 | Telephone Input For Contact Form 7 | 76 | 18 | 10 | 600 | Text Domain Mismatch | ||
| #5825 | Contact Form 7 Text CAPTCHA | 76 | 14 | 34 | 1k+ | Non-prefixed global variable | ||
| #5826 | The Future Is Now | 76 | 3 | 10 | 1k+ | Input is not sanitized | ||
| #5827 | Ultimate Data Table Addon For Elementor | 76 | 8 | 0 | 1k+ | Exception output is not escaped | ||
| #5828 | WC Hide Shipping Methods | 76 | 15 | 5 | 20k+ | Output is not escaped | ||
| #5829 | Breadcrumbs for WooCommerce | 76 | 14 | 2 | 6k+ | Output is not escaped | ||
| #5830 | Action Network | 76 | 19 | 17 | 400 | error log error log | ||
| #5831 | Hide Dashboard Notifications | 76 | 10 | 10 | 20k+ | Output is not escaped | ||
| #5832 | Test jQuery Updates | 76 | 10 | 3 | 1k+ | Unsafe printing function | ||
| #5833 | Social Share For WooCommerce | 76 | 85 | 23 | 500 | Text Domain Mismatch | ||
| #5834 | ACF Galerie 4 | 77 | 16 | 23 | 2k+ | Text Domain Mismatch | ||
| #5835 | AffiliateWP – External Referral Links | 77 | 30 | 11 | 800 | Text Domain Mismatch | ||
| #5836 | Always Edit In HTML | 77 | 7 | 5 | 1k+ | Output is not escaped | ||
| #5837 | Backup/Restore Divi Theme Options | 77 | 8 | 8 | 700 | Input is not validated | ||
| #5838 | Custom Profile Menu for BuddyPress | 77 | 8 | 4 | 400 | Output is not escaped | ||
| #5839 | Canonical SEO Content Syndication WordPress Plugin | 77 | 4 | 8 | 400 | Missing nonce verification | ||
| #5840 | Čeština pro WordPress | 77 | 16 | 4 | 400 | Output is not escaped | ||
| #5841 | Contact Form 7 Translate Messages Extension | 77 | 10 | 5 | 1k+ | Output is not escaped | ||
| #5842 | Color Your Bar | 77 | 5 | 10 | 400 | Input is not sanitized | ||
| #5843 | CodeKit – Custom Codes Editor | 77 | 11 | 29 | 4k+ | Non-prefixed global variable | ||
| #5844 | Disable Toolbar | 77 | 6 | 3 | 1k+ | Output is not escaped | ||
| #5845 | Variation Price Display For WooCommerce | 77 | 87 | 16 | 900 | Text Domain Mismatch | ||
| #5846 | Easy Featured Images | 77 | 14 | 4 | 1k+ | Output is not escaped | ||
| #5847 | Ceylon Extra | 77 | 89 | 41 | 600 | Text Domain Mismatch | ||
| #5848 | eSewa – Nepal First Payment Gateway | 77 | 48 | 9 | 600 | Text Domain Mismatch | ||
| #5849 | Floating Contact Button | 77 | 6 | 3 | 1k+ | Output is not escaped | ||
| #5850 | GDPR | 77 | 39 | 121 | 10k+ | Non-prefixed global variable |
