WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1651 | Kargo Takip | 35 | 84 | 142 | 3k+ | Missing | |
| #1652 | Kaya QR Code Generator | 35 | 193 | 40 | 20k+ | Non Singular String Literal Domain | |
| #1653 | KBoard 위젯 – 워드프레스 게시판 | 35 | 53 | 32 | 3k+ | Output Not Escaped | |
| #1654 | Keyring | 35 | 233 | 203 | 1k+ | Output Not Escaped | |
| #1655 | Kustom Checkout for WooCommerce | 35 | 82 | 497 | 10k+ | Dynamic Hookname Found | |
| #1656 | Lead Call Buttons | 35 | 113 | 81 | 6k+ | Output Not Escaped | |
| #1657 | Lead Form Builder & Contact Form | 35 | 400 | 345 | 9k+ | Output Not Escaped | |
| #1658 | Less PHP Compiler | 35 | 163 | 47 | 3k+ | Exception Not Escaped | |
| #1659 | Login-Logout | 35 | 104 | 8 | 3k+ | Output Not Escaped | |
| #1660 | Login Page Styler – Custom WordPress Login Page Customizer & Security | 35 | 125 | 168 | 2k+ | Missing Arg Domain | |
| #1661 | Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) | 35 | 273 | 127 | 5k+ | Output Not Escaped | |
| #1662 | MapSVG – Vector maps, Image maps, Google Maps | 35 | 74 | 47 | 1k+ | missing direct file access protection | |
| #1663 | Mark Posts | 35 | 30 | 34 | 1k+ | Missing Unslash | |
| #1664 | Mechanic Visitor Counter | 35 | 240 | 66 | 8k+ | Output Not Escaped | |
| #1665 | Media Library Downloader | 35 | 21 | 16 | 4k+ | Output Not Escaped | |
| #1666 | Restaurant Menu – Food Ordering System – Table Reservation | 35 | 317 | 186 | 8k+ | Unsafe Printing Function | |
| #1667 | MetaSlider Gallery – Image Gallery, Lightbox Galleries, Modal Windows | 35 | 157 | 49 | 10k+ | Output Not Escaped | |
| #1668 | MotoPress Hotel Booking Styles & Templates | 35 | 37 | 19 | 10k+ | block api version too low | |
| #1669 | One Page Express Companion | 35 | 132 | 65 | 10k+ | Output Not Escaped | |
| #1670 | ONet Regenerate Thumbnails | 35 | 190 | 64 | 1k+ | Text Domain Mismatch | |
| #1671 | Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce | 35 | 117 | 144 | 2k+ | Output Not Escaped | |
| #1672 | OPcache Manager | 35 | 155 | 75 | 1k+ | Output Not Escaped | |
| #1673 | Order Delivery Date for WooCommerce | 35 | 2,060 | 73 | 10k+ | wp function not compatible with requires wp | |
| #1674 | OT Flatsome Vertical Menu | 35 | 126 | 26 | 10k+ | Text Domain Mismatch | |
| #1675 | Page Optimize | 35 | 70 | 41 | 200k+ | Non Singular String Literal Domain | |
| #1676 | Page Visits Counter – Lite | 35 | 28 | 35 | 5k+ | Output Not Escaped | |
| #1677 | Paytm Payment Gateway | 35 | 92 | 104 | 3k+ | Missing Arg Domain | |
| #1678 | Paytrail for WooCommerce | 35 | 28 | 46 | 3k+ | Non Prefixed Variable Found | |
| #1679 | Perfecty Push Notifications | 35 | 204 | 213 | 4k+ | Not Prepared | |
| #1680 | Pie Calendar – Events Calendar Made Simple | 35 | 83 | 53 | 1k+ | Text Domain Mismatch | |
| #1681 | Piwik PRO | 35 | 22 | 3 | 3k+ | Output Not Escaped | |
| #1682 | Pochipp | 35 | 27 | 102 | 20k+ | Non Prefixed Variable Found | |
| #1683 | Poptin – Email Marketing Automation, Newsletter & Exit Pop Ups, Email Popups | 35 | 173 | 34 | 20k+ | Output Not Escaped | |
| #1684 | Post Content Shortcodes | 35 | 205 | 56 | 2k+ | Output Not Escaped | |
| #1685 | Post Meta Data Manager | 35 | 30 | 112 | 1k+ | Non Prefixed Variable Found | |
| #1686 | Posts Table with Search & Sort | 35 | 143 | 33 | 3k+ | Text Domain Mismatch | |
| #1687 | PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) | 35 | 6 | 56 | 80k+ | Post Not In exclude | |
| #1688 | Print, PDF, Email by PrintFriendly | 35 | 220 | 29 | 20k+ | Unsafe Printing Function | |
| #1689 | Product Input Fields for WooCommerce | 35 | 18 | 84 | 4k+ | Non Prefixed Function Found | |
| #1690 | Min Max Step Quantity Limits Manager for WooCommerce | 35 | 67 | 158 | 3k+ | Non Prefixed Variable Found | |
| #1691 | Ninjalytics: Sales Reports & Order Export for WooCommerce and EDD | 35 | 15 | 30 | 6k+ | Non Prefixed Variable Found | |
| #1692 | Push Notifications by LaraPush | 35 | 32 | 76 | 4k+ | Non Prefixed Variable Found | |
| #1693 | ReactPress – Create React App for WordPress | 35 | 26 | 43 | 3k+ | Missing Unslash | |
| #1694 | Real Time Validation for Gravity Forms | 35 | 185 | 30 | 2k+ | Output Not Escaped | |
| #1695 | Really Simple Google Tag Manager (GTM) | 35 | 115 | 15 | 4k+ | Text Domain Mismatch | |
| #1696 | Recurio – Ultimate Subscription for WooCommerce | 35 | 41 | 300 | 1k+ | Direct Query | |
| #1697 | Related Posts by Taxonomy | 35 | 131 | 97 | 10k+ | Output Not Escaped | |
| #1698 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output Not Escaped | |
| #1699 | Remove Dashboard Access | 35 | 16 | 23 | 30k+ | wp function not compatible with requires wp | |
| #1700 | ReOrder Posts within Categories | 35 | 39 | 207 | 7k+ | Non Prefixed Variable Found |
