WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5951 | Headless Mode | 80 | 7 | 0 | 2k+ | Unsafe printing function | ||
| #5952 | Leadinfo | 80 | 11 | 8 | 7k+ | Missing direct file access protection | ||
| #5953 | Nudgify Social Proof | 80 | 3 | 12 | 600 | Discouraged PHP function | ||
| #5954 | Ocean Custom Sidebar | 80 | 8 | 3 | 30k+ | Missing Arg Domain | ||
| #5955 | Offcanvas Mobile Menu | 80 | 22 | 7 | 800 | Missing direct file access protection | ||
| #5956 | Oomph Hidden Tags | 80 | 13 | 2 | 400 | Missing Arg Domain | ||
| #5957 | Panda Video | 80 | 29 | 17 | 3k+ | Non-prefixed global variable | ||
| #5958 | Parallax Image | 80 | 6 | 1 | 2k+ | Missing direct file access protection | ||
| #5959 | Podamibe Custom User Gravatar | 80 | 12 | 8 | 3k+ | Non Singular String Literal Domain | ||
| #5960 | Post Carousel Addons For Elementor | 80 | 9 | 8 | 1k+ | Output is not escaped | ||
| #5961 | Publish View | 80 | 12 | 6 | 500 | Missing nonce verification | ||
| #5962 | Quick Edit Yoast SEO | 80 | 5 | 12 | 900 | Request data is not unslashed | ||
| #5963 | Random Content | 80 | 10 | 8 | 3k+ | Output is not escaped | ||
| #5964 | Re-add text underline and justify | 80 | 10 | 2 | 50k+ | Output is not escaped | ||
| #5965 | Recent Products Block | 80 | 11 | 0 | 600 | Output is not escaped | ||
| #5966 | Rich Contact Widget | 80 | 13 | 2 | 9k+ | Output is not escaped | ||
| #5967 | TP PieBuilder | 80 | 9 | 7 | 500 | Output is not escaped | ||
| #5968 | Wincher Rank Tracker | 80 | 8 | 6 | 3k+ | Output is not escaped | ||
| #5969 | Gift Wrapper for WooCommerce | 80 | 111 | 125 | 2k+ | Text Domain Mismatch | ||
| #5970 | Discounts Per Payment Method on WooCommerce | 80 | 8 | 8 | 1k+ | Missing Translators Comment | ||
| #5971 | WP Delete User Accounts | 80 | 10 | 7 | 800 | Missing direct file access protection | ||
| #5972 | AboveWP Bulgarian Eurozone | 81 | 10 | 8 | 3k+ | Output is not escaped | ||
| #5973 | Sympl Repeater for ACF and Elementor | 81 | 9 | 4 | 1k+ | Output is not escaped | ||
| #5974 | Advanced Image Hover Effect for Elementor | 81 | 251 | 8 | 1k+ | Text Domain Mismatch | ||
| #5975 | Folder Excluder for AIO WP Migration | 81 | 8 | 5 | 1k+ | Non-prefixed function | ||
| #5976 | atec Cache APCu | 81 | 41 | 21 | 3k+ | wp function not compatible with requires wp | ||
| #5977 | AWEOS Google Maps iframe load per click | 81 | 11 | 7 | 3k+ | Text Domain Mismatch | ||
| #5978 | Ceylon Demo Installer | 81 | 11 | 9 | 400 | Non-prefixed function | ||
| #5979 | Cf7 Icons and Labels | 81 | 16 | 4 | 500 | Text Domain Mismatch | ||
| #5980 | Checklist in Post | 81 | 14 | 7 | 400 | Missing Version | ||
| #5981 | CHL-Change HTML Lang | 81 | 5 | 7 | 7k+ | Non-prefixed function | ||
| #5982 | Column Ordering For Elementor | 81 | 21 | 6 | 1k+ | Text Domain Mismatch | ||
| #5983 | cookie-cat | 81 | 14 | 27 | 1k+ | Non-prefixed function | ||
| #5984 | Custom Login Css | 81 | 10 | 0 | 400 | Missing direct file access protection | ||
| #5985 | Disable Gutenberg Blocks – Block Manager | 81 | 6 | 10 | 4k+ | trademarked term | ||
| #5986 | Disable Post Revision | 81 | 6 | 3 | 3k+ | Output is not escaped | ||
| #5987 | eCommerce Shipping Dashboard by UPS for WooCommerce | 81 | 6 | 35 | 1k+ | Non-prefixed constant | ||
| #5988 | ERE Recently Viewed – Essential Real Estate Add-On | 81 | 6 | 3 | 1k+ | Output is not escaped | ||
| #5989 | External Thumbnail | 81 | 6 | 5 | 20k+ | Missing nonce verification | ||
| #5990 | FAQ Schema For Pages And Posts | 81 | 56 | 5 | 7k+ | Text Domain Mismatch | ||
| #5991 | Faster Pagination | 81 | 11 | 0 | 1k+ | Output is not escaped | ||
| #5992 | Fullwidth Templates for Any Theme & Page Builder | 81 | 12 | 23 | 20k+ | Non-prefixed constant | ||
| #5993 | GIF Master – Awesome GIFs with Giphy and Tenor | 81 | 7 | 6 | 3k+ | Output is not escaped | ||
| #5994 | Gravity Forms CLI Add-On | 81 | 31 | 4 | 20k+ | Missing direct file access protection | ||
| #5995 | GSheetConnector for Elementor Forms – Sync Elementor Forms to Google Sheets | 81 | 11 | 12 | 9k+ | Non-prefixed global variable | ||
| #5996 | Hotline & Zalo Setting | 81 | 13 | 2 | 500 | Output is not escaped | ||
| #5997 | LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor | 81 | 162 | 9 | 3k+ | Text Domain Mismatch | ||
| #5998 | Max Mega Menu – StoreFront Integration | 81 | 12 | 2 | 2k+ | Text Domain Mismatch | ||
| #5999 | Migrate Guru – Site Migration & Cloning | 81 | 7 | 8 | 200k+ | Database parameter is not escaped | ||
| #6000 | OG — Better Share on Social Media | 81 | 14 | 51 | 30k+ | Non-prefixed hook name |