WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #6101 | Homepage Control | 83 | 13 | 3 | 9k+ | Output is not escaped | ||
| #6102 | Inspectlet – AI-Powered Session Replay, Heatmaps & Analytics | 83 | 13 | 2 | 700 | Text Domain Mismatch | ||
| #6103 | Login Logo | 83 | 10 | 0 | 40k+ | Output is not escaped | ||
| #6104 | Mailster SendGrid Integration | 83 | 23 | 3 | 1k+ | Missing Translators Comment | ||
| #6105 | Make Disable Admin Email Verification Prompt| Aims Infosoft | 83 | 10 | 4 | 2k+ | Text Domain Mismatch | ||
| #6106 | Mammoth .docx converter | 83 | 11 | 0 | 20k+ | Output is not escaped | ||
| #6107 | Max Addons for Bricks Builder | 83 | 6 | 29 | 1k+ | Post Not In exclude | ||
| #6108 | Menu Duplicator | 83 | 2 | 9 | 10k+ | Non-prefixed constant | ||
| #6109 | Add menu separators to navigation | 83 | 8 | 7 | 900 | Non-prefixed hook name | ||
| #6110 | Mouseflow for WordPress | 83 | 9 | 8 | 7k+ | Output is not escaped | ||
| #6111 | oik-privacy-policy | 83 | 14 | 42 | 700 | No Html Wrapped Strings | ||
| #6112 | Photo Sphere Viewer – 360° Panorama, Virtual Tour, 360 Video & AR 3D Model Viewer | 83 | 13 | 10 | 500 | wp function not compatible with requires wp | ||
| #6113 | PlugVersions – Easily roll back to previous versions of your plugins. | 83 | 9 | 6 | 1k+ | Request data is not unslashed | ||
| #6114 | Post Meta Inspector | 83 | 6 | 1 | 2k+ | Unsafe printing function | ||
| #6115 | Post Views for Jetpack | 83 | 12 | 3 | 1k+ | Output is not escaped | ||
| #6116 | Fixed Widget and Sticky Elements for WordPress | 83 | 7 | 13 | 80k+ | Non-prefixed global variable | ||
| #6117 | Simple Share Buttons Adder | 83 | 157 | 202 | 40k+ | Missing direct file access protection | ||
| #6118 | Smartslider | 83 | 13 | 0 | 600 | Output is not escaped | ||
| #6119 | Sticky Header by ThematoSoup | 83 | 20 | 5 | 1k+ | Non Singular String Literal Domain | ||
| #6120 | Swipe Slider – Make dynamic slider with solid, gradient, or image background | 83 | 2 | 15 | 3k+ | Non-prefixed global variable | ||
| #6121 | Upload Url and Path Enabler | 83 | 10 | 1 | 2k+ | Missing Arg Domain | ||
| #6122 | VA Social Buzz | 83 | 13 | 2 | 1k+ | Output is not escaped | ||
| #6123 | WPC AJAX Search for WooCommerce | 83 | 1 | 29 | 1k+ | Nonce verification recommended | ||
| #6124 | Zhanzhangb Indexing Submission for Baidu | 83 | 14 | 4 | 2k+ | Output is not escaped | ||
| #6125 | Blocks for ACF Fields — Display Custom Fields in the Block Editor | 84 | 5 | 24 | 1k+ | Non-prefixed hook name | ||
| #6126 | Acme Demo Setup | 84 | 8 | 6 | 10k+ | Non-prefixed function | ||
| #6127 | Dynific Addons for Elementor (formerly AnyWhere Elementor) | 84 | 33 | 5 | 70k+ | Text Domain Mismatch | ||
| #6128 | Append extensions on Pages | 84 | 7 | 3 | 800 | Missing direct file access protection | ||
| #6129 | Astra Theme Visual Hooks | 84 | 54 | 5 | 2k+ | Text Domain Mismatch | ||
| #6130 | AWEOS PHP Server Info | 84 | 8 | 3 | 2k+ | Output is not escaped | ||
| #6131 | Better Post & Filter Widgets for Elementor | 84 | 7 | 27 | 3k+ | slow db query tax query | ||
| #6132 | Change Admin Email | 84 | 4 | 4 | 50k+ | Missing nonce verification | ||
| #6133 | ClickShip | 84 | 13 | 5 | 1k+ | Output is not escaped | ||
| #6134 | Comments Form Star Rating Plugin for WordPress | 84 | 3 | 10 | 2k+ | Missing nonce verification | ||
| #6135 | Crazy Egg | 84 | 12 | 1 | 7k+ | wp function not compatible with requires wp | ||
| #6136 | Filterable Portfolio | 84 | 3 | 76 | 1k+ | Non-prefixed global variable | ||
| #6137 | FlippingBook | 84 | 14 | 6 | 2k+ | Missing Translators Comment | ||
| #6138 | Genesis Simple Hooks | 84 | 14 | 1 | 20k+ | Output is not escaped | ||
| #6139 | Get the Image | 84 | 8 | 8 | 7k+ | Non-prefixed hook name | ||
| #6140 | HHG for TranslatePress | 84 | 43 | 18 | 700 | curl curl setopt | ||
| #6141 | LearnPress – Prerequisites Courses | 84 | 8 | 14 | 6k+ | Non-prefixed constant | ||
| #6142 | MotoPress Hotel Booking for Elementor | 84 | 3 | 19 | 10k+ | Non-prefixed global variable | ||
| #6143 | Ocean Social Sharing | 84 | 10 | 36 | 70k+ | Non-prefixed global variable | ||
| #6144 | PHP Info | 84 | 8 | 5 | 600 | Output is not escaped | ||
| #6145 | Plugin Security Scanner | 84 | 9 | 9 | 800 | Output is not escaped | ||
| #6146 | Public Post Preview Configurator | 84 | 14 | 6 | 10k+ | Non Singular String Literal Domain | ||
| #6147 | RS Author Info Box | 84 | 36 | 2 | 2k+ | Text Domain Mismatch | ||
| #6148 | SellKit – Funnel builder and checkout optimizer for WooCommerce to sell more, faster | 84 | 9 | 17 | 8k+ | Non-prefixed class | ||
| #6149 | Simple Testimonials Showcase | 84 | 33 | 11 | 500 | Missing Translators Comment | ||
| #6150 | SlickNav Mobile Menu | 84 | 13 | 0 | 3k+ | Output is not escaped |
