WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #6351 | PHP Native Password Hash | 90 | 7 | 6 | 2k+ | Non-prefixed global variable | ||
| #6352 | Photection – Easy image protection for WordPress | 90 | 4 | 9 | 1k+ | Non-prefixed global variable | ||
| #6353 | Rapid URL Indexer for WP – Index Websites in Google | 90 | 6 | 28 | 1k+ | error log error log | ||
| #6354 | Replace Broken Images | 90 | 5 | 0 | 1k+ | Output is not escaped | ||
| #6355 | Show Page URL | 90 | 6 | 3 | 1k+ | Missing direct file access protection | ||
| #6356 | Simple Colorbox | 90 | 11 | 1 | 1k+ | Missing Arg Domain | ||
| #6357 | Slash Edit: Admin Shortcuts to Edit Posts and Pages Faster | 90 | 3 | 3 | 500 | Output is not escaped | ||
| #6358 | Tabbed Contents Block – Display Content in Tabbed Layout | 90 | 4 | 36 | 800 | Non-prefixed global variable | ||
| #6359 | Three Column Screen Layout | 90 | 5 | 8 | 1k+ | Direct Query | ||
| #6360 | Visual Hook Guide for Kadence | 90 | 8 | 1 | 500 | Text Domain Mismatch | ||
| #6361 | VK Ads Pixel plugin | 90 | 6 | 4 | 2k+ | Missing direct file access protection | ||
| #6362 | External Product New Tab for WooCommerce | 90 | 3 | 2 | 4k+ | Output is not escaped | ||
| #6363 | Wetterwarner | 90 | 5 | 12 | 500 | Non-prefixed function | ||
| #6364 | BLAZING Email Transfer Payment Gateway | 90 | 23 | 6 | 2k+ | Text Domain Mismatch | ||
| #6365 | WP BrowserUpdate | 90 | 11 | 7 | 1k+ | Missing Translators Comment | ||
| #6366 | WP-Font-Resizer | 90 | 14 | 6 | 400 | wp function not compatible with requires wp | ||
| #6367 | WP PHP Version Display | 90 | 6 | 4 | 3k+ | trademarked term | ||
| #6368 | Zeffy Donate Button | 90 | 3 | 0 | 900 | Output is not escaped | ||
| #6369 | Add Follow Button For Pintrest | 91 | 21 | 5 | 400 | Non Singular String Literal Domain | ||
| #6370 | Admin Dashboard Last Edits | 91 | 5 | 0 | 800 | Missing Translators Comment | ||
| #6371 | Advanced Posts/Page | 91 | 16 | 2 | 3k+ | Text Domain Mismatch | ||
| #6372 | Book Review Block | 91 | 11 | 2 | 1k+ | block api version too low | ||
| #6373 | Change Empty Trash Time | 91 | 5 | 3 | 1k+ | Missing direct file access protection | ||
| #6374 | Childify Me | 91 | 9 | 1 | 8k+ | wp function not compatible with requires wp | ||
| #6375 | Connector GravityForms and MailerLite | 91 | 8 | 2 | 2k+ | Missing Translators Comment | ||
| #6376 | CTA Button Styler | 91 | 3 | 39 | 400 | Non-prefixed global variable | ||
| #6377 | Custom Highlight Color | 91 | 5 | 1 | 900 | Missing direct file access protection | ||
| #6378 | Custom iFrame – Embed PDFs, Videos, and External Content in WordPress (Elementor & Gutenberg) | 91 | 13 | 5 | 3k+ | wp function not compatible with requires wp | ||
| #6379 | Di Blocks – Awesome WordPress Blocks for Gutenberg Editor | 91 | 7 | 3 | 1k+ | Missing direct file access protection | ||
| #6380 | Nút Bấm Liên Hệ Dibrother | 91 | 5 | 2 | 900 | Missing Arg Domain | ||
| #6381 | Easy Digital Downloads Free Link | 91 | 11 | 3 | 1k+ | Short PHP open tag found | ||
| #6382 | Easy Logo Link Change | 91 | 6 | 1 | 1k+ | Deprecated function: screen_icon | ||
| #6383 | Eazy Login Logo | 91 | 4 | 2 | 400 | Missing direct file access protection | ||
| #6384 | ERE Similar Properties – Essential Real Estate Add-On | 91 | 4 | 3 | 1k+ | Missing direct file access protection | ||
| #6385 | FAQ Schema for Elementor | 91 | 11 | 3 | 800 | Text Domain Mismatch | ||
| #6386 | FT Password Protect Children Pages | 91 | 8 | 1 | 400 | Missing Arg Domain | ||
| #6387 | Gravity Forms Confirmation Page List | 91 | 6 | 3 | 400 | Missing direct file access protection | ||
| #6388 | Gravity Forms Placeholder Add-On | 91 | 5 | 4 | 1k+ | trademarked term | ||
| #6389 | Gutentools | 91 | 17 | 10 | 4k+ | Missing direct file access protection | ||
| #6390 | Hot Random Image | 91 | 24 | 1 | 2k+ | Text Domain Mismatch | ||
| #6391 | Lazy Load Elementor Background Images | 91 | 5 | 6 | 1k+ | Non-prefixed function | ||
| #6392 | Lightweight Accordion | 91 | 4 | 3 | 10k+ | Non-prefixed function | ||
| #6393 | Limit Revisions | 91 | 7 | 1 | 1k+ | Missing Arg Domain | ||
| #6394 | Loop Post Navigation Links | 91 | 7 | 5 | 600 | Missing Arg Domain | ||
| #6395 | MAS Static Content | 91 | 3 | 7 | 10k+ | Non-prefixed hook name | ||
| #6396 | matchHeight | 91 | 6 | 2 | 2k+ | Non-prefixed global variable | ||
| #6397 | Parent Category Toggler | 91 | 6 | 0 | 10k+ | Missing direct file access protection | ||
| #6398 | Plugin Groups | 91 | 11 | 9 | 1k+ | Non Singular String Literal Domain | ||
| #6399 | Preload Featured Images | 91 | 2 | 2 | 1k+ | Output is not escaped | ||
| #6400 | Replace Google Fonts with Bunny Fonts | 91 | 6 | 1 | 1k+ | wp function not compatible with requires wp |
