WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #6401 | Replace Google Fonts with Bunny Fonts | 91 | 6 | 1 | 1k+ | wp function not compatible with requires wp | ||
| #6402 | Restricted Site Access | 91 | 14 | 11 | 10k+ | Missing Arg Domain | ||
| #6403 | Sensei LMS Post to Course Creator | 91 | 6 | 7 | 1k+ | Missing Translators Comment | ||
| #6404 | Serbian Addons for WooCommerce | 91 | 34 | 13 | 600 | Text Domain Mismatch | ||
| #6405 | Simple Google Analytics Tracking | 91 | 6 | 2 | 1k+ | Missing direct file access protection | ||
| #6406 | Simple Membership Form Shortcode | 91 | 7 | 1 | 2k+ | Missing direct file access protection | ||
| #6407 | Simple WP Maintenance Mode | 91 | 6 | 4 | 2k+ | trademarked term | ||
| #6408 | Simply Show IDs | 91 | 5 | 1 | 3k+ | Missing direct file access protection | ||
| #6409 | Sticky Banner | 91 | 2 | 17 | 700 | Non-prefixed global variable | ||
| #6410 | Storefront Footer Bar | 91 | 6 | 2 | 3k+ | Missing Arg Domain | ||
| #6411 | Thememiles Toolset | 91 | 14 | 2 | 500 | Text Domain Mismatch | ||
| #6412 | Timeline Express HTML Excerpts Add-on | 91 | 9 | 6 | 1k+ | Text Domain Mismatch | ||
| #6413 | Validated | 91 | 7 | 3 | 600 | Missing direct file access protection | ||
| #6414 | WooCommerce New Product Badge | 91 | 8 | 8 | 900 | Text Domain Mismatch | ||
| #6415 | WPS HTML Blocks | 91 | 23 | 4 | 1k+ | Text Domain Mismatch | ||
| #6416 | Yivic Easy Live Chat | 91 | 22 | 8 | 1k+ | Non Singular String Literal Domain | ||
| #6417 | Add Code To Head | 92 | 2 | 8 | 3k+ | Non-prefixed global variable | ||
| #6418 | Table Field Add-on for ACF and SCF | 92 | 9 | 3 | 50k+ | Text Domain Mismatch | ||
| #6419 | Blazeo | 92 | 4 | 5 | 400 | Missing Version | ||
| #6420 | LB Back To Top | 92 | 4 | 2 | 700 | Missing Version | ||
| #6421 | Bangla Web Fonts | 92 | 4 | 0 | 2k+ | Non Enqueued Stylesheet | ||
| #6422 | Canada Post Shipping For WooCommerce | 92 | 4 | 0 | 2k+ | Output is not escaped | ||
| #6423 | Confetti Fall Animation | 92 | 2 | 5 | 600 | Non-prefixed class | ||
| #6424 | Contact Form 7 Shortcode Enabler | 92 | 4 | 3 | 10k+ | trademarked term | ||
| #6425 | Control XML-RPC publishing | 92 | 7 | 0 | 400 | Text Domain Mismatch | ||
| #6426 | Disable Customizer | 92 | 3 | 1 | 400 | Output is not escaped | ||
| #6427 | Editor Block Outline | 92 | 2 | 5 | 1k+ | Not In Footer | ||
| #6428 | Email Blacklist For Elementor Forms | 92 | 7 | 5 | 1k+ | Text Domain Mismatch | ||
| #6429 | ERE Colors – Essential Real Estate Add-On | 92 | 4 | 1 | 1k+ | Missing direct file access protection | ||
| #6430 | FastBots | 92 | 3 | 2 | 1k+ | Non Enqueued Script | ||
| #6431 | Find And Replace Text | 92 | 4 | 2 | 400 | Missing direct file access protection | ||
| #6432 | Find Posts Using Attachment | 92 | 4 | 2 | 1k+ | Missing direct file access protection | ||
| #6433 | Grid Shortcodes | 92 | 3 | 2 | 2k+ | Missing Version | ||
| #6434 | Health Endpoint | 92 | 3 | 2 | 3k+ | Missing Arg Domain | ||
| #6435 | Hide Categories On Shop Page | 92 | 11 | 4 | 1k+ | Text Domain Mismatch | ||
| #6436 | hideShowPassword | 92 | 3 | 5 | 400 | trademarked term | ||
| #6437 | Hoot Import | 92 | 1 | 10 | 1k+ | Direct Query | ||
| #6438 | Kortez Toolset | 92 | 4 | 2 | 1k+ | Missing Translators Comment | ||
| #6439 | Lightweight Grid Columns | 92 | 4 | 2 | 10k+ | Missing Version | ||
| #6440 | LitCommerce: Multi-channel Selling Tool For WooCommerce | 92 | 4 | 3 | 2k+ | Missing direct file access protection | ||
| #6441 | Block for Apple Maps | 92 | 14 | 3 | 1k+ | Missing direct file access protection | ||
| #6442 | MB ImageChimp RSS Feed Enhancer | 92 | 6 | 0 | 700 | wp function not compatible with requires wp | ||
| #6443 | Yoga Schedule Momoyoga | 92 | 3 | 2 | 1k+ | Missing Version | ||
| #6444 | MyD Delivery Widgets | 92 | 5 | 1 | 600 | Missing Translators Comment | ||
| #6445 | OffCanvas / Drawer – Responsive Slide-In Drawer & Popup System | 92 | 6 | 2 | 900 | Missing direct file access protection | ||
| #6446 | PDF Thumbnails | 92 | 5 | 2 | 1k+ | Missing Arg Domain | ||
| #6447 | Pk Google Analytics | 92 | 3 | 1 | 400 | Output is not escaped | ||
| #6448 | Remove RSS Feed | 92 | 5 | 0 | 1k+ | Missing Arg Domain | ||
| #6449 | Site Closed | 92 | 5 | 0 | 400 | Missing direct file access protection | ||
| #6450 | Greeklish Slugs | 92 | 12 | 2 | 3k+ | Text Domain Mismatch |
