WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5851 | Floating Contact Button | 77 | 6 | 3 | 1k+ | Output is not escaped | ||
| #5852 | GDPR | 77 | 39 | 121 | 10k+ | Non-prefixed global variable | ||
| #5853 | Gravity Forms Auto Placeholders | 77 | 9 | 8 | 700 | trademarked term | ||
| #5854 | Mailster Mailgun Integration | 77 | 16 | 5 | 500 | Missing Translators Comment | ||
| #5855 | Master QR Code Generator – Fast & Easy QR Code Creator | 77 | 21 | 59 | 400 | Non-prefixed global variable | ||
| #5856 | Modern Footnotes | 77 | 18 | 6 | 6k+ | Output is not escaped | ||
| #5857 | PDF Smart Viewer for Elementor | 77 | 18 | 16 | 1k+ | Non-prefixed global variable | ||
| #5858 | Pushover Integration for WooCommerce | 77 | 107 | 7 | 800 | Text Domain Mismatch | ||
| #5859 | Remove Taxonomy Slug | 77 | 23 | 2 | 400 | Output is not escaped | ||
| #5860 | Responsive Tabs For Elementor | 77 | 57 | 27 | 1k+ | Text Domain Mismatch | ||
| #5861 | Scroll Magic Addon for Elementor | 77 | 344 | 7 | 400 | Text Domain Mismatch | ||
| #5862 | Self-Hosted Google Fonts | 77 | 35 | 11 | 30k+ | Text Domain Mismatch | ||
| #5863 | SendPulse Email Marketing Newsletter | 77 | 8 | 7 | 1k+ | Output is not escaped | ||
| #5864 | Shipping Zone Duplicator for WooCommerce | 77 | 10 | 14 | 800 | Nonce verification recommended | ||
| #5865 | Display custom fields in the frontend – Post and User Profile Fields | 77 | 17 | 18 | 600 | Non-prefixed global variable | ||
| #5866 | Simple Floating Menu | 77 | 13 | 3 | 10k+ | Missing direct file access protection | ||
| #5867 | Storefront Top Bar | 77 | 20 | 13 | 2k+ | Non-prefixed hook name | ||
| #5868 | Supreme Google Webfonts | 77 | 12 | 7 | 1k+ | Text Domain Mismatch | ||
| #5869 | Tagembed Social Feeds Widget | 77 | 21 | 137 | 10k+ | Non-prefixed function | ||
| #5870 | Taggbox: Social Feed Widgets | 77 | 23 | 113 | 1k+ | Direct Query | ||
| #5871 | UsageDD | 77 | 8 | 3 | 1k+ | Output is not escaped | ||
| #5872 | Username | 77 | 5 | 8 | 800 | Deprecated function: screen_icon | ||
| #5873 | Widget Classes | 77 | 5 | 7 | 1k+ | Missing nonce verification | ||
| #5874 | WP Comment Notification | 77 | 28 | 10 | 400 | Missing Arg Domain | ||
| #5875 | WP Editor Widget | 77 | 9 | 6 | 9k+ | Unsafe printing function | ||
| #5876 | Lorem Ipsum Generator | 77 | 7 | 9 | 500 | Missing direct file access protection | ||
| #5877 | WP Night Mode | 77 | 8 | 11 | 700 | Non-prefixed function | ||
| #5878 | WPA WooCommerce Product Gallery Slider Lite | 77 | 66 | 52 | 400 | Text Domain Mismatch | ||
| #5879 | Pay with PAYUNi | 77 | 9 | 13 | 500 | Input is not sanitized | ||
| #5880 | Accordion Blocks | 78 | 9 | 3 | 10k+ | Unsafe printing function | ||
| #5881 | Advanced Custom Fields: Gravity Forms Add-on | 78 | 33 | 13 | 30k+ | Text Domain Mismatch | ||
| #5882 | Support For Icomoon with Advanced Custom Fields | 78 | 15 | 6 | 1k+ | Output is not escaped | ||
| #5883 | Active Campaign & WPForms | 78 | 27 | 10 | 400 | Text Domain Mismatch | ||
| #5884 | AffiliateWP – Affiliate QR Codes | 78 | 32 | 8 | 1k+ | Text Domain Mismatch | ||
| #5885 | AffiliateWP – Allow Own Referrals | 78 | 37 | 10 | 600 | Text Domain Mismatch | ||
| #5886 | AWP Classifieds | 78 | 11 | 9 | 3k+ | Output is not escaped | ||
| #5887 | Boei – AI Chatbot, Live Chat & 50+ Channels for WordPress | 78 | 9 | 4 | 1k+ | Output is not escaped | ||
| #5888 | Code Block Syntax Highlighter for Elementor | 78 | 344 | 3 | 600 | Non Singular String Literal Domain | ||
| #5889 | Date Picker For Contact Form 7 | 78 | 3 | 8 | 4k+ | Missing nonce verification | ||
| #5890 | Player for SoundCloud – Embed and Play Audio Tracks | 78 | 17 | 24 | 1k+ | Text Domain Mismatch | ||
| #5891 | Floating Ads Bottom | 78 | 9 | 1 | 2k+ | Setting is missing a sanitization callback | ||
| #5892 | Frontend Product Editor for WooCommerce | 78 | 76 | 31 | 500 | Text Domain Mismatch | ||
| #5893 | Honeypot Anti-Spam | 78 | 5 | 7 | 10k+ | Missing nonce verification | ||
| #5894 | Login Widget for Ultimate Member | 78 | 10 | 10 | 600 | Input is not sanitized | ||
| #5895 | Maintenance Notice | 78 | 26 | 71 | 800 | Non-prefixed global variable | ||
| #5896 | Media Focus Point | 78 | 11 | 6 | 5k+ | Output is not escaped | ||
| #5897 | More Mails for CF7 | 78 | 13 | 6 | 500 | Text Domain Mismatch | ||
| #5898 | Nav Menu Images | 78 | 5 | 8 | 6k+ | Missing nonce verification | ||
| #5899 | One Time Login | 78 | 7 | 8 | 40k+ | Nonce verification recommended | ||
| #5900 | Post slider elementor addons | 78 | 45 | 8 | 2k+ | Text Domain Mismatch |
