WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1501 | Element Invader – Template Kits for Elementor | 30 | 274 | 130 | 3k+ | Output is not escaped | ||
| #1502 | Email Templates Customizer and Designer for WordPress and WooCommerce | 30 | 250 | 349 | 20k+ | Non-prefixed global variable | ||
| #1503 | Epeken All Kurir for Woocommerce | 30 | 590 | 1,246 | 500 | Missing nonce verification | ||
| #1504 | Event post | 30 | 355 | 100 | 1k+ | Output is not escaped | ||
| #1505 | Eway Payment Gateway | 30 | 509 | 92 | 800 | Missing Translators Comment | ||
| #1506 | Exclusive Addons for Elementor | 30 | 3,629 | 266 | 50k+ | Text Domain Mismatch | ||
| #1507 | Export Plugins and Templates | 30 | 143 | 33 | 1k+ | file system operations fread | ||
| #1508 | PiWeb Export Customers Users & Guest customer to CSV for WooCommerce | 30 | 173 | 75 | 1k+ | Text Domain Mismatch | ||
| #1509 | Formzu WP | 30 | 167 | 163 | 3k+ | Text Domain Mismatch | ||
| #1510 | Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant | 30 | 264 | 221 | 4k+ | Non Singular String Literal Text | ||
| #1511 | GlobalPayments Gateway Provider for WooCommerce | 30 | 611 | 170 | 1k+ | Text Domain Mismatch | ||
| #1512 | Kargo Takip, Kargo SMS, İlçe Mahalle Sözleşme by Hezarfen | 30 | 70 | 276 | 2k+ | Non-prefixed global variable | ||
| #1513 | Invisible reCaptcha for WordPress | 30 | 90 | 185 | 80k+ | Input is not sanitized | ||
| #1514 | Jetpack Protect | 30 | 657 | 217 | 100k+ | Text Domain Mismatch | ||
| #1515 | core plugin for kitestudio themes | 30 | 244 | 415 | 500 | Nonce verification recommended | ||
| #1516 | Laposta Signup Embed | 30 | 88 | 19 | 1k+ | Exception output is not escaped | ||
| #1517 | Mailrelay | 30 | 318 | 170 | 1k+ | Text Domain Mismatch | ||
| #1518 | Meow Gallery | 30 | 111 | 182 | 10k+ | Direct Query | ||
| #1519 | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | 30 | 63 | 227 | 600k+ | Non-prefixed global variable | ||
| #1520 | Midtrans-WooCommerce | 30 | 112 | 132 | 5k+ | Non-prefixed global variable | ||
| #1521 | Move Addons for Elementor | 30 | 3,919 | 91 | 3k+ | Text Domain Mismatch | ||
| #1522 | Naver webmaster syndication v2 | 30 | 89 | 129 | 500 | Output is not escaped | ||
| #1523 | Novelist | 30 | 475 | 158 | 1k+ | Output is not escaped | ||
| #1524 | OoohBoi Steroids for Elementor | 30 | 2,059 | 100 | 40k+ | Text Domain Mismatch | ||
| #1525 | Operation Demo Importer – Demo Importer For WPoperation Themes | 30 | 245 | 104 | 1k+ | Text Domain Mismatch | ||
| #1526 | PayU CommercePro Plugin | 30 | 95 | 270 | 7k+ | Text Domain Mismatch | ||
| #1527 | Popularis Extra | 30 | 237 | 141 | 7k+ | Output is not escaped | ||
| #1528 | Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget | 30 | 231 | 102 | 1k+ | Non Singular String Literal Domain | ||
| #1529 | Pre-Orders for WooCommerce | 30 | 568 | 261 | 7k+ | Output is not escaped | ||
| #1530 | Sync Master Sheet – Product Sync with Google Sheet for WooCommerce | 30 | 136 | 300 | 400 | Non-prefixed global variable | ||
| #1531 | Pubjet | پابجت | 30 | 91 | 172 | 1k+ | Output is not escaped | ||
| #1532 | Realbig For WordPress | 30 | 36 | 591 | 1k+ | Non-prefixed global variable | ||
| #1533 | Responsive Addons for Elementor – Free Elementor Addons, Kits and Elementor Templates | 30 | 60 | 387 | 3k+ | Non-prefixed global variable | ||
| #1534 | Rublon Multi-Factor Authentication (MFA) | 30 | 216 | 160 | 500 | Output is not escaped | ||
| #1535 | Sina Extension for Elementor | 30 | 3,701 | 160 | 40k+ | Text Domain Mismatch | ||
| #1536 | SmartCrawl SEO checker, analyzer & optimizer | 30 | 347 | 1,307 | 20k+ | Non-prefixed global variable | ||
| #1537 | SMTP for Amazon SES – YaySMTP | 30 | 197 | 122 | 3k+ | Exception output is not escaped | ||
| #1538 | Star Addons for Elementor | 30 | 236 | 255 | 1k+ | Non-prefixed global variable | ||
| #1539 | Taboola | 30 | 89 | 147 | 1k+ | Output is not escaped | ||
| #1540 | Themify Portfolio Post | 30 | 214 | 102 | 30k+ | Text Domain Mismatch | ||
| #1541 | Travel Booking Toolkit | 30 | 245 | 324 | 3k+ | Non-prefixed global variable | ||
| #1542 | Travelers' Map | 30 | 311 | 155 | 1k+ | Output is not escaped | ||
| #1543 | Tutor LMS Divi Modules | 30 | 420 | 722 | 1k+ | Non-prefixed global variable | ||
| #1544 | Urvanov Syntax Highlighter | 30 | 221 | 87 | 3k+ | Output is not escaped | ||
| #1545 | User Access Manager | 30 | 393 | 171 | 10k+ | Output is not escaped | ||
| #1546 | User Avatar – Reloaded | 30 | 352 | 171 | 900 | Text Domain Mismatch | ||
| #1547 | User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress | 30 | 484 | 280 | 3k+ | Text Domain Mismatch | ||
| #1548 | UX Flat | 30 | 539 | 203 | 1k+ | Missing Arg Domain | ||
| #1549 | Waitlist Woocommerce ( Back in stock notifier ) | 30 | 272 | 311 | 4k+ | Output is not escaped | ||
| #1550 | Checkout with Cash App on WooCommerce | 30 | 122 | 308 | 2k+ | Non-prefixed global variable |
