WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1601 | Nobs • Share Buttons | 35 | 314 | 85 | 3k+ | Output Not Escaped | |
| #1602 | JWT Auth – WordPress JSON Web Token Authentication | 35 | 14 | 18 | 6k+ | Output Not Escaped | |
| #1603 | Kadence for WooCommerce and Elementor | 35 | 39 | 21 | 3k+ | Output Not Escaped | |
| #1604 | Kargo Takip | 35 | 84 | 142 | 3k+ | Missing | |
| #1605 | Kaya QR Code Generator | 35 | 193 | 40 | 20k+ | Non Singular String Literal Domain | |
| #1606 | KBoard 위젯 – 워드프레스 게시판 | 35 | 53 | 32 | 3k+ | Output Not Escaped | |
| #1607 | Kustom Checkout for WooCommerce | 35 | 82 | 497 | 10k+ | Dynamic Hookname Found | |
| #1608 | Lead Call Buttons | 35 | 113 | 81 | 6k+ | Output Not Escaped | |
| #1609 | Lead Form Builder & Contact Form | 35 | 400 | 345 | 9k+ | Output Not Escaped | |
| #1610 | Less PHP Compiler | 35 | 163 | 47 | 3k+ | Exception Not Escaped | |
| #1611 | Login-Logout | 35 | 104 | 8 | 3k+ | Output Not Escaped | |
| #1612 | Login Page Styler – Custom WordPress Login Page Customizer & Security | 35 | 125 | 168 | 2k+ | Missing Arg Domain | |
| #1613 | Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) | 35 | 273 | 127 | 5k+ | Output Not Escaped | |
| #1614 | MapSVG – Vector maps, Image maps, Google Maps | 35 | 74 | 47 | 1k+ | missing direct file access protection | |
| #1615 | Mechanic Visitor Counter | 35 | 240 | 66 | 8k+ | Output Not Escaped | |
| #1616 | Media Library Downloader | 35 | 21 | 16 | 4k+ | Output Not Escaped | |
| #1617 | Restaurant Menu – Food Ordering System – Table Reservation | 35 | 317 | 186 | 8k+ | Unsafe Printing Function | |
| #1618 | MetaSlider Gallery – Image Gallery, Lightbox Galleries, Modal Windows | 35 | 157 | 49 | 10k+ | Output Not Escaped | |
| #1619 | MotoPress Hotel Booking Styles & Templates | 35 | 37 | 19 | 10k+ | block api version too low | |
| #1620 | One Page Express Companion | 35 | 132 | 65 | 10k+ | Output Not Escaped | |
| #1621 | ONet Regenerate Thumbnails | 35 | 190 | 64 | 1k+ | Text Domain Mismatch | |
| #1622 | Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce | 35 | 117 | 144 | 2k+ | Output Not Escaped | |
| #1623 | OPcache Manager | 35 | 155 | 75 | 1k+ | Output Not Escaped | |
| #1624 | Order Delivery Date for WooCommerce | 35 | 2,060 | 73 | 10k+ | wp function not compatible with requires wp | |
| #1625 | OT Flatsome Vertical Menu | 35 | 126 | 26 | 10k+ | Text Domain Mismatch | |
| #1626 | Page Optimize | 35 | 70 | 41 | 200k+ | Non Singular String Literal Domain | |
| #1627 | Page Visits Counter – Lite | 35 | 28 | 35 | 5k+ | Output Not Escaped | |
| #1628 | Paytm Payment Gateway | 35 | 92 | 104 | 3k+ | Missing Arg Domain | |
| #1629 | Paytrail for WooCommerce | 35 | 28 | 46 | 3k+ | Non Prefixed Variable Found | |
| #1630 | Perfecty Push Notifications | 35 | 204 | 213 | 4k+ | Not Prepared | |
| #1631 | Piwik PRO | 35 | 22 | 3 | 3k+ | Output Not Escaped | |
| #1632 | Pochipp | 35 | 27 | 102 | 20k+ | Non Prefixed Variable Found | |
| #1633 | Poptin – Email Marketing Automation, Newsletter & Exit Pop Ups, Email Popups | 35 | 173 | 34 | 20k+ | Output Not Escaped | |
| #1634 | Post Content Shortcodes | 35 | 205 | 56 | 2k+ | Output Not Escaped | |
| #1635 | Posts Table with Search & Sort | 35 | 143 | 33 | 3k+ | Text Domain Mismatch | |
| #1636 | PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) | 35 | 6 | 56 | 80k+ | Post Not In exclude | |
| #1637 | Print, PDF, Email by PrintFriendly | 35 | 220 | 29 | 20k+ | Unsafe Printing Function | |
| #1638 | Product Input Fields for WooCommerce | 35 | 18 | 84 | 4k+ | Non Prefixed Function Found | |
| #1639 | Min Max Step Quantity Limits Manager for WooCommerce | 35 | 67 | 158 | 3k+ | Non Prefixed Variable Found | |
| #1640 | Ninjalytics: Sales Reports & Order Export for WooCommerce and EDD | 35 | 15 | 30 | 6k+ | Non Prefixed Variable Found | |
| #1641 | Push Notifications by LaraPush | 35 | 32 | 76 | 4k+ | Non Prefixed Variable Found | |
| #1642 | ReactPress – Create React App for WordPress | 35 | 26 | 43 | 3k+ | Missing Unslash | |
| #1643 | Real Time Validation for Gravity Forms | 35 | 185 | 30 | 2k+ | Output Not Escaped | |
| #1644 | Really Simple Google Tag Manager (GTM) | 35 | 115 | 15 | 4k+ | Text Domain Mismatch | |
| #1645 | Recurio – Ultimate Subscription for WooCommerce | 35 | 41 | 300 | 1k+ | Direct Query | |
| #1646 | Related Posts by Taxonomy | 35 | 131 | 97 | 10k+ | Output Not Escaped | |
| #1647 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output Not Escaped | |
| #1648 | Remove Dashboard Access | 35 | 16 | 23 | 30k+ | wp function not compatible with requires wp | |
| #1649 | ReOrder Posts within Categories | 35 | 39 | 207 | 7k+ | Non Prefixed Variable Found | |
| #1650 | WP Responsive Tabs horizontal vertical and accordion Tabs | 35 | 598 | 212 | 2k+ | Output Not Escaped |
