WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #6001 | Gravity Forms CLI Add-On | 81 | 31 | 4 | 20k+ | Missing direct file access protection | ||
| #6002 | GSheetConnector for Elementor Forms – Sync Elementor Forms to Google Sheets | 81 | 11 | 12 | 9k+ | Non-prefixed global variable | ||
| #6003 | Hotline & Zalo Setting | 81 | 13 | 2 | 500 | Output is not escaped | ||
| #6004 | LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor | 81 | 162 | 9 | 3k+ | Text Domain Mismatch | ||
| #6005 | Max Mega Menu – StoreFront Integration | 81 | 12 | 2 | 2k+ | Text Domain Mismatch | ||
| #6006 | Migrate Guru – Site Migration & Cloning | 81 | 7 | 8 | 200k+ | Database parameter is not escaped | ||
| #6007 | OG — Better Share on Social Media | 81 | 14 | 51 | 30k+ | Non-prefixed hook name | ||
| #6008 | Open in New Window Plugin | 81 | 6 | 8 | 2k+ | Offloaded Content | ||
| #6009 | Page Excerpt | 81 | 11 | 1 | 3k+ | Missing Arg Domain | ||
| #6010 | Portfolio Block – The Ultimate Project & Portfolio Builder | 81 | 6 | 5 | 800 | Offloaded Content | ||
| #6011 | Post reading times | 81 | 10 | 1 | 1k+ | Output is not escaped | ||
| #6012 | Post Type Archive Descriptions | 81 | 11 | 4 | 1k+ | Missing direct file access protection | ||
| #6013 | QuadMenu – Astra Mega Menu | 81 | 10 | 2 | 600 | Text Domain Mismatch | ||
| #6014 | Recent Posts FlexSlider | 81 | 13 | 1 | 800 | Output is not escaped | ||
| #6015 | Redirect by Custom Field | 81 | 5 | 6 | 600 | Nonce verification recommended | ||
| #6016 | ResponsiveVoice Text To Speech | 81 | 11 | 18 | 7k+ | Non-prefixed function | ||
| #6017 | Select and Multi-Select Field for Contact Form 7 | 81 | 25 | 12 | 2k+ | Text Domain Mismatch | ||
| #6018 | Simple Page Redirect | 81 | 3 | 7 | 10k+ | Request data is not unslashed | ||
| #6019 | Simple Site Map Page | 81 | 9 | 1 | 4k+ | Output is not escaped | ||
| #6020 | Loops & Logic | 81 | 11 | 3 | 2k+ | Missing direct file access protection | ||
| #6021 | Timed Content For Beaver Builder | 81 | 29 | 8 | 1k+ | date date | ||
| #6022 | Force Authentification Before Checkout for WooCommerce | 81 | 12 | 4 | 6k+ | Output is not escaped | ||
| #6023 | Free Shipping Bar for WooCommerce | 81 | 5 | 21 | 2k+ | Non-prefixed global variable | ||
| #6024 | Bulk Order Form for WooCommerce | 81 | 8 | 98 | 900 | Non-prefixed hook name | ||
| #6025 | Product SKU Generator for WooCommerce | 81 | 2 | 8 | 8k+ | Nonce verification recommended | ||
| #6026 | WP Events Manager WooCommerce | 81 | 20 | 10 | 1k+ | Text Domain Mismatch | ||
| #6027 | WP GIF Player – Play & Pause | 81 | 6 | 4 | 400 | Output is not escaped | ||
| #6028 | Require Login | 81 | 9 | 12 | 500 | Non-prefixed function | ||
| #6029 | Wp Tracking Codes | 81 | 7 | 12 | 900 | Nonce verification recommended | ||
| #6030 | Accordion Toggle | 82 | 17 | 11 | 2k+ | Non-prefixed class | ||
| #6031 | ACF Multi Dates Field | 82 | 6 | 8 | 1k+ | Not In Footer | ||
| #6032 | Add New Default Avatar | 82 | 21 | 0 | 500 | Output is not escaped | ||
| #6033 | Add-on Brevo for Gravity Forms | 82 | 15 | 13 | 1k+ | Text Domain Mismatch | ||
| #6034 | Agent Image News | 82 | 11 | 1 | 2k+ | Output is not escaped | ||
| #6035 | Bookero.pl – system rezerwacji online | 82 | 12 | 7 | 1k+ | curl curl setopt | ||
| #6036 | Bulk Menu Edit | 82 | 4 | 9 | 700 | Direct Query | ||
| #6037 | Clean Image Filenames | 82 | 6 | 1 | 30k+ | Output is not escaped | ||
| #6038 | CodePen Embed Block | 82 | 8 | 3 | 600 | Text Domain Mismatch | ||
| #6039 | Colibri Page Builder | 82 | 138 | 31 | 90k+ | Missing direct file access protection | ||
| #6040 | Awin Publisher MasterTag | 82 | 6 | 6 | 1k+ | Non-prefixed global variable | ||
| #6041 | Custom 404 Error Page | 82 | 12 | 3 | 1k+ | Text Domain Mismatch | ||
| #6042 | Timber Debug Bar | 82 | 12 | 0 | 600 | Output is not escaped | ||
| #6043 | Editor Blocks for Gutenberg | 82 | 6 | 8 | 700 | Missing direct file access protection | ||
| #6044 | Genesis eNews Extended | 82 | 9 | 1 | 40k+ | Output is not escaped | ||
| #6045 | Easy Genesis Logo Uploader | 82 | 18 | 5 | 400 | Output is not escaped | ||
| #6046 | Head & Footer Code | 82 | 1 | 15 | 100k+ | Non-prefixed constant | ||
| #6047 | Iknow Extra | 82 | 6 | 5 | 400 | Missing direct file access protection | ||
| #6048 | Indent Lists Button | 82 | 10 | 3 | 700 | Output is not escaped | ||
| #6049 | Japanese Proofreading Preview | 82 | 11 | 5 | 400 | Nonce verification recommended | ||
| #6050 | Link Juice Optimizer | 82 | 12 | 6 | 6k+ | Output is not escaped |