WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5901 | One Time Login | 78 | 7 | 8 | 40k+ | Nonce verification recommended | ||
| #5902 | Post slider elementor addons | 78 | 45 | 8 | 2k+ | Text Domain Mismatch | ||
| #5903 | PrettyPhoto – Simple Lightbox Plugin | 78 | 25 | 12 | 2k+ | Non Singular String Literal Domain | ||
| #5904 | PushCrew | 78 | 10 | 0 | 400 | Missing Arg Domain | ||
| #5905 | QuadMenu – Divi Mega Menu | 78 | 17 | 2 | 1k+ | Text Domain Mismatch | ||
| #5906 | Recent Posts | 78 | 7 | 2 | 400 | Database parameter is not escaped | ||
| #5907 | Rename XMLRPC | 78 | 7 | 3 | 1k+ | Output is not escaped | ||
| #5908 | Resend Welcome Email | 78 | 5 | 9 | 1k+ | Nonce verification recommended | ||
| #5909 | RSS Includes Pages | 78 | 4 | 8 | 10k+ | Output is not escaped | ||
| #5910 | Run SQL Query | 78 | 13 | 8 | 600 | Non-prefixed global variable | ||
| #5911 | Animator – Scroll Triggered Animations | 78 | 16 | 24 | 2k+ | Missing direct file access protection | ||
| #5912 | Sendy | 78 | 11 | 2 | 500 | Output is not escaped | ||
| #5913 | Sheet2Site | 78 | 21 | 3 | 400 | Output is not escaped | ||
| #5914 | Simple Maintenance | 78 | 11 | 5 | 1k+ | Non-prefixed global variable | ||
| #5915 | Simple Universal Google Analytics | 78 | 11 | 0 | 4k+ | Output is not escaped | ||
| #5916 | Yandex Mail SMTP Server for WordPress | 78 | 16 | 5 | 2k+ | Text Domain Mismatch | ||
| #5917 | History Timeline for Biography, Company History & Event Timeline | 78 | 29 | 37 | 1k+ | Non-prefixed global variable | ||
| #5918 | Tuxedo Responsive Widget Columns | 78 | 19 | 3 | 400 | Output is not escaped | ||
| #5919 | Twenty20 Image Before-After | 78 | 104 | 14 | 20k+ | Text Domain Mismatch | ||
| #5920 | Exclude Category from Blog | 78 | 10 | 2 | 1k+ | Output is not escaped | ||
| #5921 | Feed Post Thumbnail | 78 | 9 | 3 | 2k+ | Unsafe printing function | ||
| #5922 | WP Simple Mail Sender | 78 | 21 | 6 | 3k+ | Non Singular String Literal Domain | ||
| #5923 | Zeno Font Resizer | 78 | 13 | 2 | 5k+ | Output is not escaped | ||
| #5924 | Add link on copied text | 79 | 11 | 3 | 400 | Output is not escaped | ||
| #5925 | AffiliateWP – Affiliate Info | 79 | 27 | 7 | 1k+ | Text Domain Mismatch | ||
| #5926 | AffiliateWP – Force Pending Referrals | 79 | 35 | 12 | 500 | Text Domain Mismatch | ||
| #5927 | AffiliateWP – WooCommerce Redirect Affiliates | 79 | 27 | 7 | 1k+ | Text Domain Mismatch | ||
| #5928 | AIKO – AI Developer Lite | 79 | 10 | 7 | 6k+ | error log error log | ||
| #5929 | Alx Extensions | 79 | 113 | 4 | 8k+ | Text Domain Mismatch | ||
| #5930 | Better Font Awesome | 79 | 6 | 9 | 70k+ | Input is not sanitized | ||
| #5931 | Chatra Live Chat + ChatBot + Cart Saver | 79 | 11 | 1 | 3k+ | Output is not escaped | ||
| #5932 | Bitly URL Shortener | 79 | 65 | 22 | 600 | Text Domain Mismatch | ||
| #5933 | CoolClock – a Javascript Analog Clock | 79 | 21 | 9 | 2k+ | Output is not escaped | ||
| #5934 | Disable Theme and Plugin Auto-Update Emails | 79 | 21 | 5 | 10k+ | Text Domain Mismatch | ||
| #5935 | Display Post Metadata | 79 | 12 | 4 | 500 | Output is not escaped | ||
| #5936 | Exclude Pages From Menu | 79 | 6 | 11 | 8k+ | Non-prefixed function | ||
| #5937 | Global Site Tag Tracking | 79 | 11 | 1 | 1k+ | Output is not escaped | ||
| #5938 | Last Name First Name | 79 | 9 | 5 | 500 | Non-prefixed function | ||
| #5939 | Meks ThemeForest Smart Widget | 79 | 12 | 4 | 10k+ | Output is not escaped | ||
| #5940 | Ni WooCommerce Admin Order Columns | 79 | 15 | 4 | 600 | Output is not escaped | ||
| #5941 | Weight/Country Shipping for WooCommerce | 79 | 10 | 2 | 900 | Unsafe printing function | ||
| #5942 | Oxyplug Preload | 79 | 7 | 9 | 500 | Output is not escaped | ||
| #5943 | Popupsmart | 79 | 28 | 2 | 600 | Output is not escaped | ||
| #5944 | Qi Addons For Elementor | 79 | 33 | 339 | 200k+ | Non-prefixed global variable | ||
| #5945 | Qty Increment Buttons for WooCommerce | 79 | 15 | 2 | 10k+ | Output is not escaped | ||
| #5946 | Remove Category URL – Remove 'category' base from category permalinks | 79 | 5 | 8 | 50k+ | Missing direct file access protection | ||
| #5947 | Search engines blocked warning | 79 | 20 | 3 | 500 | Output is not escaped | ||
| #5948 | Sellbrite | 79 | 18 | 4 | 500 | Short PHP open tag found | ||
| #5949 | Testimonial Customer Feedback | 79 | 3 | 6 | 1k+ | Nonce verification recommended | ||
| #5950 | Visual Editor Biography | 79 | 11 | 3 | 1k+ | Missing Arg Domain |
