WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#6001Gravity Forms CLI Add-On8131420k+Missing direct file access protection
#6002GSheetConnector for Elementor Forms – Sync Elementor Forms to Google Sheets8111129k+Non-prefixed global variable
#6003Hotline & Zalo Setting81132500Output is not escaped
#6004LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor8116293k+Text Domain Mismatch
#6005Max Mega Menu – StoreFront Integration811222k+Text Domain Mismatch
#6006Migrate Guru – Site Migration & Cloning8178200k+Database parameter is not escaped
#6007OG — Better Share on Social Media81145130k+Non-prefixed hook name
#6008Open in New Window Plugin81682k+Offloaded Content
#6009Page Excerpt811113k+Missing Arg Domain
#6010Portfolio Block – The Ultimate Project & Portfolio Builder8165800Offloaded Content
#6011Post reading times811011k+Output is not escaped
#6012Post Type Archive Descriptions811141k+Missing direct file access protection
#6013QuadMenu – Astra Mega Menu81102600Text Domain Mismatch
#6014Recent Posts FlexSlider81131800Output is not escaped
#6015Redirect by Custom Field8156600Nonce verification recommended
#6016ResponsiveVoice Text To Speech8111187k+Non-prefixed function
#6017Select and Multi-Select Field for Contact Form 78125122k+Text Domain Mismatch
#6018Simple Page Redirect813710k+Request data is not unslashed
#6019Simple Site Map Page81914k+Output is not escaped
#6020Loops & Logic811132k+Missing direct file access protection
#6021Timed Content For Beaver Builder812981k+date date
#6022Force Authentification Before Checkout for WooCommerce811246k+Output is not escaped
#6023Free Shipping Bar for WooCommerce815212k+Non-prefixed global variable
#6024Bulk Order Form for WooCommerce81898900Non-prefixed hook name
#6025Product SKU Generator for WooCommerce81288k+Nonce verification recommended
#6026WP Events Manager WooCommerce8120101k+Text Domain Mismatch
#6027WP GIF Player – Play & Pause8164400Output is not escaped
#6028Require Login81912500Non-prefixed function
#6029Wp Tracking Codes81712900Nonce verification recommended
#6030Accordion Toggle8217112k+Non-prefixed class
#6031ACF Multi Dates Field82681k+Not In Footer
#6032Add New Default Avatar82210500Output is not escaped
#6033Add-on Brevo for Gravity Forms8215131k+Text Domain Mismatch
#6034Agent Image News821112k+Output is not escaped
#6035Bookero.pl – system rezerwacji online821271k+curl curl setopt
#6036Bulk Menu Edit8249700Direct Query
#6037Clean Image Filenames826130k+Output is not escaped
#6038CodePen Embed Block8283600Text Domain Mismatch
#6039Colibri Page Builder821383190k+Missing direct file access protection
#6040Awin Publisher MasterTag82661k+Non-prefixed global variable
#6041Custom 404 Error Page821231k+Text Domain Mismatch
#6042Timber Debug Bar82120600Output is not escaped
#6043Editor Blocks for Gutenberg8268700Missing direct file access protection
#6044Genesis eNews Extended829140k+Output is not escaped
#6045Easy Genesis Logo Uploader82185400Output is not escaped
#6046Head & Footer Code82115100k+Non-prefixed constant
#6047Iknow Extra8265400Missing direct file access protection
#6048Indent Lists Button82103700Output is not escaped
#6049Japanese Proofreading Preview82115400Nonce verification recommended
#6050Link Juice Optimizer821266k+Output is not escaped