WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #6201 | Zoho Forms – Drag & Drop Form Builder for Websites – Contact Forms, Payment Forms, Order Forms & More | 85 | 16 | 2 | 10k+ | Non Enqueued Script | ||
| #6202 | Advanced Custom Fields Contact Form 7 | 86 | 10 | 4 | 800 | Short PHP open tag found | ||
| #6203 | Featured image to All-Posts | 86 | 6 | 5 | 400 | Nonce verification recommended | ||
| #6204 | Admin Notice | 86 | 7 | 1 | 600 | Output is not escaped | ||
| #6205 | Advanced Queries | 86 | 6 | 11 | 10k+ | Non-prefixed constant | ||
| #6206 | AM LottiePlayer | 86 | 5 | 12 | 800 | Non-prefixed global variable | ||
| #6207 | Block Pattern Builder | 86 | 10 | 5 | 600 | Missing Translators Comment | ||
| #6208 | Blockly – Gutenberg Blocks | 86 | 6 | 17 | 600 | Non-prefixed constant | ||
| #6209 | Boxtal – Shipping solution | 86 | 4 | 92 | 9k+ | Non-prefixed global variable | ||
| #6210 | Browser Screenshots | 86 | 15 | 3 | 3k+ | wp function not compatible with requires wp | ||
| #6211 | CMB2 Field Type: Font Awesome | 86 | 10 | 1 | 400 | Offloaded Content | ||
| #6212 | Custom Content Width | 86 | 8 | 0 | 1k+ | Text Domain Mismatch | ||
| #6213 | Custom Error Messages for Gravity Forms | 86 | 3 | 4 | 400 | Output is not escaped | ||
| #6214 | Debug Bar Actions and Filters Addon | 86 | 6 | 4 | 400 | Forbidden PHP function found | ||
| #6215 | Disable Block Editor FullScreen mode | 86 | 7 | 2 | 1k+ | Output is not escaped | ||
| #6216 | Eazy Under Construction | 86 | 82 | 0 | 600 | wp function not compatible with requires wp | ||
| #6217 | Twice Commerce – Easy Rental Booking System | 86 | 9 | 1 | 400 | Output is not escaped | ||
| #6218 | Enhanced Autoload Manager | 86 | 4 | 13 | 500 | Direct Query | ||
| #6219 | Extra Styling for MemberPress | 86 | 64 | 7 | 500 | Text Domain Mismatch | ||
| #6220 | Feed JSON | 86 | 9 | 15 | 500 | Non-prefixed global variable | ||
| #6221 | Flowplayer Video Player | 86 | 8 | 7 | 1k+ | Output is not escaped | ||
| #6222 | GN Publisher: Google News Compatible RSS Feeds | 86 | 76 | 6 | 20k+ | wp function not compatible with requires wp | ||
| #6223 | Hotfix | 86 | 11 | 8 | 4k+ | Deprecated class: services_json | ||
| #6224 | HT Newsletter for Elementor | 86 | 53 | 3 | 700 | Text Domain Mismatch | ||
| #6225 | Getnet Argentina para WooCommerce | 86 | 14 | 9 | 500 | Text Domain Mismatch | ||
| #6226 | Latest Posts Block – Dynamic Posts Grid, Posts List, Posts Tile with Stunning Layouts for WordPress Blogs & Pages | 86 | 9 | 8 | 7k+ | Missing Version | ||
| #6227 | Magni Image Flip For WooCommerce | 86 | 24 | 8 | 700 | Text Domain Mismatch | ||
| #6228 | Math Captcha for Elementor Forms | 86 | 10 | 2 | 3k+ | No Explicit Version | ||
| #6229 | Add post thumbnail to wp-admin list view | 86 | 5 | 5 | 400 | Nonce verification recommended | ||
| #6230 | Ocean Product Sharing | 86 | 9 | 18 | 20k+ | Non-prefixed global variable | ||
| #6231 | Payment Gateway Icons For WooCommerce | 86 | 2 | 4 | 1k+ | Input is not sanitized | ||
| #6232 | Popup Trigger URL for Elementor Pro | 86 | 2 | 4 | 10k+ | Nonce verification recommended | ||
| #6233 | Printus – Automatic Cloud Printing for WooCommerce | 86 | 28 | 20 | 800 | Missing Arg Domain | ||
| #6234 | Social Divi | 86 | 15 | 8 | 2k+ | Missing direct file access protection | ||
| #6235 | Social Sharing Block | 86 | 5 | 11 | 7k+ | Non-prefixed global variable | ||
| #6236 | Socials Ignited | 86 | 12 | 2 | 2k+ | Missing direct file access protection | ||
| #6237 | Subtitles | 86 | 4 | 9 | 3k+ | Non-prefixed hook name | ||
| #6238 | Thank you page viewer for Woocommerce | 86 | 6 | 3 | 500 | Output is not escaped | ||
| #6239 | Ticket Tailor — Event Ticketing & Registration | 86 | 3 | 3 | 4k+ | Non Enqueued Script | ||
| #6240 | Update Notifier | 86 | 8 | 1 | 700 | Output is not escaped | ||
| #6241 | Shipping Method Description for WooCommerce | 86 | 9 | 12 | 1k+ | Non-prefixed global variable | ||
| #6242 | Custom Add To Cart Button for WooCommerce | 86 | 11 | 3 | 10k+ | Output is not escaped | ||
| #6243 | WordClever – AI Content Writer | 86 | 4 | 2 | 3k+ | Missing direct file access protection | ||
| #6244 | WP fancybox | 86 | 7 | 8 | 1k+ | Output is not escaped | ||
| #6245 | WP Image Size Limit | 86 | 7 | 6 | 3k+ | Output is not escaped | ||
| #6246 | WP Upload Restriction | 86 | 59 | 16 | 2k+ | Text Domain Mismatch | ||
| #6247 | Alligator Menu Popup | 87 | 4 | 1 | 600 | Missing Arg Domain | ||
| #6248 | bbPress Enable TinyMCE Visual Tab | 87 | 12 | 4 | 600 | Text Domain Mismatch | ||
| #6249 | CF7 Google Captcha Load After Page | 87 | 7 | 2 | 2k+ | Output is not escaped | ||
| #6250 | Click To Tweet | 87 | 8 | 7 | 2k+ | trademarked term |
