WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1551 | WP Inventory Manager | 30 | 856 | 233 | 1k+ | Output is not escaped | ||
| #1552 | WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin | 30 | 32 | 346 | 4m+ | Non-prefixed hook name | ||
| #1553 | Photo Gallery Slideshow & Masonry Tiled Gallery | 30 | 806 | 352 | 1k+ | Output is not escaped | ||
| #1554 | WP Restaurant Price List | 30 | 295 | 95 | 500 | Text Domain Mismatch | ||
| #1555 | WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA | 30 | 484 | 222 | 2k+ | Unsafe printing function | ||
| #1556 | WPS Cleaner | 30 | 430 | 491 | 20k+ | Output is not escaped | ||
| #1557 | WPZOOM Addons for Beaver Builder | 30 | 2,216 | 152 | 4k+ | Text Domain Mismatch | ||
| #1558 | Yaad Sarig Payment Gateway For WC | 30 | 158 | 271 | 2k+ | Nonce verification recommended | ||
| #1559 | YayPricing – WooCommerce Dynamic Pricing & Discounts | 30 | 174 | 186 | 3k+ | Non-prefixed global variable | ||
| #1560 | YASR – Yet Another Star Rating Plugin for WordPress | 30 | 252 | 378 | 10k+ | Output is not escaped | ||
| #1561 | YITH Pre-Order for WooCommerce | 30 | 397 | 1,464 | 6k+ | Non-prefixed global variable | ||
| #1562 | YITH WooCommerce Popup | 30 | 395 | 1,551 | 2k+ | Non-prefixed global variable | ||
| #1563 | YITH WooCommerce Product Slider Carousel | 30 | 389 | 1,479 | 4k+ | Non-prefixed global variable | ||
| #1564 | zahls.ch Credit Cards, PostFinance and TWINT for WooCommerce | 30 | 121 | 265 | 3k+ | Non-prefixed global variable | ||
| #1565 | Zoho CRM Lead Magnet | 30 | 101 | 1,025 | 3k+ | Request data is not unslashed | ||
| #1566 | a3 Lazy Load | 31 | 83 | 240 | 90k+ | Dynamic hook name | ||
| #1567 | ActiveCampaign – The autonomous marketing platform | 31 | 235 | 98 | 40k+ | Output is not escaped | ||
| #1568 | AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization | 31 | 91 | 133 | 2k+ | Output is not escaped | ||
| #1569 | Advanced Category Excluder | 31 | 349 | 160 | 700 | Output is not escaped | ||
| #1570 | Advanced Woo Search – Product Search for WooCommerce | 31 | 228 | 377 | 70k+ | Nonce verification recommended | ||
| #1571 | AI Alt Text Generator | 31 | 76 | 26 | 1k+ | Missing Translators Comment | ||
| #1572 | All-in-one contact buttons – WPSHARE247 | 31 | 108 | 113 | 4k+ | Non-prefixed global variable | ||
| #1573 | Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter | 31 | 57 | 196 | 50k+ | Nonce verification recommended | ||
| #1574 | Apaczka.pl WooCommerce | 31 | 99 | 276 | 1k+ | Non-prefixed global variable | ||
| #1575 | Asgaros Forum | 31 | 167 | 412 | 10k+ | Output is not escaped | ||
| #1576 | Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam | 31 | 598 | 70 | 700 | Text Domain Mismatch | ||
| #1577 | Better Robots.txt – AI-Ready Crawl Control & Bot Governance | 31 | 90 | 85 | 6k+ | Text Domain Mismatch | ||
| #1578 | Яндекс Доставка (Boxberry) | 31 | 46 | 150 | 600 | Missing nonce verification | ||
| #1579 | CashBill.pl – Płatności WooCommerce | 31 | 181 | 101 | 900 | Output is not escaped | ||
| #1580 | České služby pro WordPress | 31 | 95 | 139 | 1k+ | Output is not escaped | ||
| #1581 | cformsII | 31 | 777 | 536 | 4k+ | Unsafe printing function | ||
| #1582 | Newsletter Sign-Up for CleverReach | 31 | 174 | 72 | 2k+ | Output is not escaped | ||
| #1583 | CleverReach® WP | 31 | 103 | 93 | 4k+ | Non-prefixed global variable | ||
| #1584 | Co-marquage service-public.fr | 31 | 84 | 213 | 1k+ | Non-prefixed global variable | ||
| #1585 | Codeless Page Builder | 31 | 415 | 258 | 1k+ | Text Domain Mismatch | ||
| #1586 | Colorbox Panels & Info Box | 31 | 392 | 182 | 1k+ | Non Singular String Literal Domain | ||
| #1587 | Cookie Dough Compliance and Consent for GDPR | 31 | 539 | 452 | 500 | Non Singular String Literal Domain | ||
| #1588 | Compliance by Hu-manity.co | 31 | 153 | 335 | 900k+ | Missing nonce verification | ||
| #1589 | Copy Anything to Clipboard for WordPress – Copy Button, Copy Text & Copy Code | 31 | 525 | 131 | 10k+ | Text Domain Mismatch | ||
| #1590 | Counter Number Showcase, Fun Facts – WordPress Animated Counter Plugin | 31 | 255 | 170 | 10k+ | Non Singular String Literal Domain | ||
| #1591 | Crowdfundly | 31 | 594 | 402 | 600 | Output is not escaped | ||
| #1592 | MultiVendorX – WooCommerce Multivendor Marketplace AI Powered Solutions | 31 | 664 | 273 | 3k+ | Text Domain Mismatch | ||
| #1593 | DirectoryPress Frontend | 31 | 402 | 563 | 800 | Non-prefixed global variable | ||
| #1594 | Domain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional) | 31 | 113 | 233 | 2k+ | Non-prefixed namespace | ||
| #1595 | Download Plugin | 31 | 78 | 102 | 50k+ | Output is not escaped | ||
| #1596 | Up2pay e-Transactions WooCommerce Payment Gateway | 31 | 459 | 175 | 4k+ | Text Domain Mismatch | ||
| #1597 | EnvoThemes Demo Import | 31 | 221 | 140 | 3k+ | Output is not escaped | ||
| #1598 | Export Order Items for WooCommerce | 31 | 100 | 108 | 1k+ | Text Domain Mismatch | ||
| #1599 | Express Checkout via PayPal for WooCommerce | 31 | 158 | 200 | 800 | Nonce verification recommended | ||
| #1600 | افزونه پیامک حرفه ای فراز اس ام اس | 31 | 89 | 180 | 1k+ | wp function not compatible with requires wp |
