WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #6151 | Easy Duplicate Product for WooCommerce | 84 | 7 | 8 | 3k+ | Missing direct file access protection | ||
| #6152 | Order on Mobile for WooCommerce | 84 | 14 | 1 | 7k+ | Output is not escaped | ||
| #6153 | Override String Translations | 84 | 8 | 6 | 1k+ | Nonce verification recommended | ||
| #6154 | wpautop control | 84 | 7 | 5 | 1k+ | trademarked term | ||
| #6155 | WPB Accordion Menu – Collapsible Vertical Sidebar Menu – WooCommerce Category Accordion | 84 | 5 | 59 | 10k+ | Non-prefixed hook name | ||
| #6156 | WPLANG Lite | 84 | 8 | 5 | 400 | trademarked term | ||
| #6157 | WPML Shortcodes | 84 | 7 | 12 | 900 | Non-prefixed function | ||
| #6158 | Wrap form fields in Gravity Forms | 84 | 22 | 3 | 1k+ | Text Domain Mismatch | ||
| #6159 | ACF YouTube Picker | 85 | 82 | 7 | 400 | Text Domain Mismatch | ||
| #6160 | ATR Cookie Notice | 85 | 7 | 2 | 800 | Output is not escaped | ||
| #6161 | Attendance Manager | 85 | 93 | 21 | 800 | date date | ||
| #6162 | Better Business Reviews – Trustpilot WordPress Plugin | 85 | 4 | 7 | 3k+ | Output is not escaped | ||
| #6163 | Country Dropdown For Contact Form 7 | 85 | 17 | 4 | 800 | Text Domain Mismatch | ||
| #6164 | GamiPress – Leaderboards Include/Exclude Users | 85 | 11 | 3 | 500 | Output is not escaped | ||
| #6165 | Genesis Easy Columns | 85 | 8 | 1 | 2k+ | Missing direct file access protection | ||
| #6166 | Hello Dolly | 85 | 9 | 2 | 600k+ | Output is not escaped | ||
| #6167 | Hide Any Page | 85 | 8 | 2 | 500 | Output is not escaped | ||
| #6168 | WP Ghost (Hide My WP Ghost) – Security & Firewall | 85 | 6 | 373 | 100k+ | Non-prefixed global variable | ||
| #6169 | La Poste Pro Expéditions WooCommerce | 85 | 4 | 95 | 1k+ | Non-prefixed global variable | ||
| #6170 | Marquee Running Text | 85 | 11 | 7 | 5k+ | Missing direct file access protection | ||
| #6171 | MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce | 85 | 6 | 7 | 8k+ | Missing Translators Comment | ||
| #6172 | Ocean Stick Anything | 85 | 6 | 6 | 20k+ | Missing Arg Domain | ||
| #6173 | Payment Integration Wompi | 85 | 44 | 11 | 1k+ | Missing Arg Domain | ||
| #6174 | Popup Message Notifier for Contact Form 7 | 85 | 17 | 2 | 1k+ | Short PHP open tag found | ||
| #6175 | Portfolios | 85 | 10 | 2 | 700 | Output is not escaped | ||
| #6176 | Posts Character Count Admin | 85 | 9 | 0 | 1k+ | Output is not escaped | ||
| #6177 | Power Captcha reCAPTCHA | 85 | 4 | 7 | 1k+ | Database parameter is not escaped | ||
| #6178 | LocaliQ – Tracking Code | 85 | 11 | 11 | 2k+ | Non-prefixed function | ||
| #6179 | Referrer Input for Contact Form 7 | 85 | 39 | 2 | 500 | wp function not compatible with requires wp | ||
| #6180 | Remove Yoast SEO Comments | 85 | 12 | 5 | 10k+ | wp function not compatible with requires wp | ||
| #6181 | Review widget addon for Elementor | 85 | 8 | 9 | 1k+ | Non-prefixed function | ||
| #6182 | Save and Continue Link Recovery for Gravity Forms | 85 | 16 | 5 | 400 | Text Domain Mismatch | ||
| #6183 | Simple Automatic Updates | 85 | 18 | 1 | 2k+ | Missing Translators Comment | ||
| #6184 | Smoothscroller | 85 | 9 | 2 | 500 | Output is not escaped | ||
| #6185 | States, Cities, and Places for WooCommerce | 85 | 101 | 192 | 6k+ | Non-prefixed global variable | ||
| #6186 | Stock market charts from finviz | 85 | 8 | 1 | 400 | Missing Arg Domain | ||
| #6187 | Storefront Hamburger Menu | 85 | 9 | 1 | 2k+ | Output is not escaped | ||
| #6188 | The Excerpt re-reloaded | 85 | 7 | 0 | 600 | Output is not escaped | ||
| #6189 | TopBar Call To Action | 85 | 40 | 5 | 2k+ | Text Domain Mismatch | ||
| #6190 | Visual Header | 85 | 6 | 42 | 400 | Non-prefixed function | ||
| #6191 | VK Blocks | 85 | 79 | 4 | 100k+ | Missing direct file access protection | ||
| #6192 | Free Shipping Per Product for WooCommerce | 85 | 21 | 3 | 3k+ | Text Domain Mismatch | ||
| #6193 | Notification for WooCommerce | Boost Your Sales – Recent Sales Popup – Live Feed Sales – Upsells | 85 | 9 | 35 | 6k+ | Non-prefixed constant | ||
| #6194 | All Currencies for WooCommerce | 85 | 17 | 3 | 1k+ | Missing Translators Comment | ||
| #6195 | WP Deferred JavaScripts | 85 | 10 | 7 | 800 | Output is not escaped | ||
| #6196 | WP fail2ban Add-on for Contact Form 7 | 85 | 10 | 18 | 800 | Non-prefixed constant | ||
| #6197 | WP fail2ban Add-on for Gravity Forms | 85 | 10 | 18 | 600 | Non-prefixed constant | ||
| #6198 | Flexible Map | 85 | 10 | 7 | 7k+ | Non-prefixed class | ||
| #6199 | WP Protect Content | 85 | 7 | 7 | 1k+ | Output is not escaped | ||
| #6200 | Yuma Companion | 85 | 10 | 7 | 400 | Missing direct file access protection |
