WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #6051 | Link Juice Optimizer | 82 | 12 | 6 | 6k+ | Output is not escaped | ||
| #6052 | Meks Smart Social Widget | 82 | 10 | 2 | 10k+ | Output is not escaped | ||
| #6053 | MyBookTable Bookstore by Stormhill Media | 82 | 15 | 33 | 1k+ | Direct Query | ||
| #6054 | mypace Custom Meta Robots | 82 | 4 | 6 | 2k+ | Input is not sanitized | ||
| #6055 | Property Hive Rental Yield Calculator | 82 | 16 | 2 | 400 | Text Domain Mismatch | ||
| #6056 | Regenerate Thumbnails | 82 | 10 | 9 | 1m+ | Direct Query | ||
| #6057 | WordPress REST API (Version 2) | 82 | 476 | 13 | 10k+ | Missing Arg Domain | ||
| #6058 | Search box on Navigation Menu | 82 | 22 | 3 | 500 | Text Domain Mismatch | ||
| #6059 | Seriously Simple Transcripts | 82 | 35 | 3 | 900 | Text Domain Mismatch | ||
| #6060 | Simple ads.txt | 82 | 8 | 6 | 1k+ | Missing direct file access protection | ||
| #6061 | Simple Page Ordering | 82 | 11 | 9 | 100k+ | Missing Arg Domain | ||
| #6062 | Simple Widget Title Links | 82 | 15 | 3 | 400 | Output is not escaped | ||
| #6063 | SiteNarrator Text-to-Speech Widget | 82 | 12 | 4 | 800 | Output is not escaped | ||
| #6064 | SnapWidget Social Photo Feed Widget | 82 | 9 | 9 | 600 | Output is not escaped | ||
| #6065 | Stop Emails | 82 | 9 | 3 | 5k+ | Missing direct file access protection | ||
| #6066 | Storefront Blog Excerpts | 82 | 24 | 2 | 700 | Text Domain Mismatch | ||
| #6067 | Storefront Homepage Contact Section | 82 | 26 | 2 | 1k+ | Output is not escaped | ||
| #6068 | Super Web Share – Native Social Sharing Button | 82 | 24 | 19 | 2k+ | Non-prefixed function | ||
| #6069 | Tasty Recipes Lite | 82 | 7 | 66 | 2k+ | Non-prefixed global variable | ||
| #6070 | Visual Term Description Editor | 82 | 11 | 5 | 10k+ | Missing Arg Domain | ||
| #6071 | WP Copy Content Protection | 82 | 7 | 6 | 600 | Output is not escaped | ||
| #6072 | WP Mail From II | 82 | 3 | 7 | 5k+ | trademarked term | ||
| #6073 | Flexible Content Extended for Advanced Custom Fields | 83 | 11 | 4 | 700 | Output is not escaped | ||
| #6074 | ACF Repeater & Flexible Content Collapser | 83 | 21 | 4 | 3k+ | Text Domain Mismatch | ||
| #6075 | Advanced Appointment Booking & Scheduling | 83 | 11 | 13 | 3k+ | Text Domain Mismatch | ||
| #6076 | Browser Theme Color | 83 | 4 | 2 | 2k+ | Output is not escaped | ||
| #6077 | Integration of Bitrix24 with Contact Form 7 | 83 | 14 | 40 | 600 | Non-prefixed function | ||
| #6078 | Change WordPress Login Logo | 83 | 5 | 9 | 20k+ | Non-prefixed function | ||
| #6079 | Code Click to Copy | 83 | 12 | 9 | 700 | Non-prefixed function | ||
| #6080 | Custom CSS and JS | 83 | 11 | 1 | 900 | Output is not escaped | ||
| #6081 | dLocal Go Payments | 83 | 9 | 15 | 400 | Missing Translators Comment | ||
| #6082 | Easy Flash Embed | 83 | 9 | 1 | 900 | Output is not escaped | ||
| #6083 | Export emails | 83 | 8 | 7 | 500 | Direct Query | ||
| #6084 | Featured Image Column | 83 | 12 | 2 | 2k+ | Output is not escaped | ||
| #6085 | AI Builder | 83 | 3 | 5 | 400 | Output is not escaped | ||
| #6086 | Date Time Field Add-On for Gravity Form | 83 | 16 | 1 | 1k+ | Output is not escaped | ||
| #6087 | Starter Templates by Gradient Themes | 83 | 27 | 7 | 3k+ | Text Domain Mismatch | ||
| #6088 | Homepage Control | 83 | 13 | 3 | 9k+ | Output is not escaped | ||
| #6089 | Inspectlet – AI-Powered Session Replay, Heatmaps & Analytics | 83 | 13 | 2 | 700 | Text Domain Mismatch | ||
| #6090 | LinkCentral – URL shortener, Affiliate Links & Custom Link Shortener with Link Tracking | 83 | 10 | 225 | 400 | Direct Query | ||
| #6091 | Login Logo | 83 | 10 | 0 | 40k+ | Output is not escaped | ||
| #6092 | Mailster SendGrid Integration | 83 | 23 | 3 | 1k+ | Missing Translators Comment | ||
| #6093 | Make Disable Admin Email Verification Prompt| Aims Infosoft | 83 | 10 | 4 | 2k+ | Text Domain Mismatch | ||
| #6094 | Mammoth .docx converter | 83 | 11 | 0 | 20k+ | Output is not escaped | ||
| #6095 | Max Addons for Bricks Builder | 83 | 6 | 29 | 1k+ | Post Not In exclude | ||
| #6096 | Menu Duplicator | 83 | 2 | 9 | 10k+ | Non-prefixed constant | ||
| #6097 | Add menu separators to navigation | 83 | 8 | 7 | 900 | Non-prefixed hook name | ||
| #6098 | Mouseflow for WordPress | 83 | 9 | 8 | 7k+ | Output is not escaped | ||
| #6099 | oik-privacy-policy | 83 | 14 | 42 | 700 | No Html Wrapped Strings | ||
| #6100 | Photo Sphere Viewer – 360° Panorama, Virtual Tour, 360 Video & AR 3D Model Viewer | 83 | 13 | 10 | 500 | wp function not compatible with requires wp |