WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #6301 | Animate on Scroll | 89 | 2 | 4 | 4k+ | Input is not validated | ||
| #6302 | Blog Filter – Post Grid Filter by Category or Tag | 89 | 1 | 5 | 7k+ | Nonce verification recommended | ||
| #6303 | Bottom Admin Toolbar | 89 | 5 | 1 | 1k+ | Output is not escaped | ||
| #6304 | Breadcrumb Trail | 89 | 6 | 4 | 10k+ | Non-prefixed hook name | ||
| #6305 | CJdropshipping | 89 | 4 | 2 | 3k+ | Missing Arg Domain | ||
| #6306 | Clarity – Ad blocker for WordPress | 89 | 5 | 19 | 2k+ | Non-prefixed hook name | ||
| #6307 | Clear cache for Timber | 89 | 20 | 1 | 500 | wp function not compatible with requires wp | ||
| #6308 | Content Update Scheduler | 89 | 2 | 17 | 2k+ | Non-prefixed global variable | ||
| #6309 | CSS | 89 | 10 | 1 | 500 | Missing Arg Domain | ||
| #6310 | EDD Auto Register | 89 | 13 | 7 | 900 | Missing Translators Comment | ||
| #6311 | elegro Crypto Payment | 89 | 5 | 9 | 20k+ | Missing Version | ||
| #6312 | Fancy Elementor Flipbox | 89 | 4 | 3 | 5k+ | Output is not escaped | ||
| #6313 | Cool Flipbox – Shortcode & Gutenberg Block | 89 | 29 | 10 | 5k+ | wp function not compatible with requires wp | ||
| #6314 | GamiPress – WooCommerce Points Per Purchase Total | 89 | 11 | 5 | 400 | trademarked term | ||
| #6315 | HivePress Claim Listings | 89 | 8 | 1 | 3k+ | Missing Translators Comment | ||
| #6316 | Image & Text Widget | 89 | 4 | 4 | 1k+ | Missing Version | ||
| #6317 | Open Links In New Tab | 89 | 5 | 3 | 900 | Missing direct file access protection | ||
| #6318 | Page Sidebar for Twenty Seventeen | 89 | 110 | 14 | 1k+ | Text Domain Mismatch | ||
| #6319 | Shipping by City for Woocommerce | 89 | 13 | 2 | 400 | Text Domain Mismatch | ||
| #6320 | Show modified Date in admin lists | 89 | 4 | 3 | 6k+ | Output is not escaped | ||
| #6321 | Simple Divi Shortcode | 89 | 5 | 0 | 10k+ | Output is not escaped | ||
| #6322 | Slimbox Plugin | 89 | 9 | 2 | 600 | Non Enqueued Script | ||
| #6323 | WPChat – Live Chat & Messaging Widget for Customer Support | 89 | 6 | 7 | 2k+ | wp function not compatible with requires wp | ||
| #6324 | Speed Up – JavaScript To Footer | 89 | 4 | 1 | 1k+ | Output is not escaped | ||
| #6325 | Speed Up – Optimize CSS Delivery | 89 | 4 | 1 | 600 | Output is not escaped | ||
| #6326 | WP Anywhere Widgets | 89 | 16 | 14 | 700 | wp function not compatible with requires wp | ||
| #6327 | WP Colorbox | 89 | 5 | 6 | 5k+ | trademarked term | ||
| #6328 | WordPress Widgets Shortcode | 89 | 5 | 4 | 500 | trademarked term | ||
| #6329 | wetracked.io for WooCommerce | 89 | 4 | 9 | 600 | Non-prefixed constant | ||
| #6330 | Advanced Custom Fields: Restrict Color Picker Options | 90 | 4 | 3 | 1k+ | Output is not escaped | ||
| #6331 | Ammu Demo Import | 90 | 12 | 19 | 400 | Deprecated function: get_page_by_title | ||
| #6332 | Toolbox for Beaver Builder | 90 | 8 | 7 | 600 | Missing Version | ||
| #6333 | Billbee – Auftragsabwicklung, Warenwirtschaft, Automatisierung | 90 | 8 | 7 | 500 | Non-prefixed function | ||
| #6334 | Card Elements for WPBakery | 90 | 1 | 208 | 500 | Non-prefixed global variable | ||
| #6335 | Child Themify | 90 | 10 | 4 | 7k+ | Missing direct file access protection | ||
| #6336 | Cimo – Free Instant Image Optimizer & WebP Converter | 90 | 6 | 4 | 8k+ | Missing Translators Comment | ||
| #6337 | Compact Archives | 90 | 8 | 14 | 2k+ | Non-prefixed function | ||
| #6338 | Comunas de Chile para WooCommerce | 90 | 5 | 6 | 2k+ | trademarked term | ||
| #6339 | Conditional Blocks – Advanced Content Visibility Control for WordPress | 90 | 10 | 22 | 2k+ | Missing direct file access protection | ||
| #6340 | Continue Shopping Anywhere for WooCommerce | 90 | 21 | 10 | 700 | Text Domain Mismatch | ||
| #6341 | CookiePro | Simplify Compliance with GDPR & EU Cookie Laws | 90 | 37 | 5 | 1k+ | Missing Arg Domain | ||
| #6342 | «Подсказки» от DaData.ru | 90 | 5 | 5 | 700 | Not In Footer | ||
| #6343 | Prevent Content Theft [Disable Right Click] | 90 | 4 | 6 | 1k+ | Missing Version | ||
| #6344 | Disable RSS | 90 | 8 | 0 | 500 | Missing Arg Domain | ||
| #6345 | Dynamic Year Block – display a copyright notice in your footer with the current year | 90 | 5 | 28 | 2k+ | Non-prefixed global variable | ||
| #6346 | Easy Auto SKU Generator for WooCommerce | 90 | 21 | 13 | 10k+ | Missing direct file access protection | ||
| #6347 | Ergonet Cache | 90 | 3 | 2 | 2k+ | Output is not escaped | ||
| #6348 | Multiple Columns for Gravity Forms | 90 | 11 | 7 | 10k+ | Missing direct file access protection | ||
| #6349 | Gravity Forms – Placeholders add-on | 90 | 5 | 5 | 2k+ | trademarked term | ||
| #6350 | If-So Conditional Content for Elementor | 90 | 5 | 1 | 1k+ | Missing direct file access protection |
