WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1701 | RICG Responsive Images | 35 | 29 | 25 | 2k+ | wp function not compatible with requires wp | ||
| #1702 | Robots.txt rewrite | 35 | 56 | 19 | 1k+ | Output is not escaped | ||
| #1703 | Internal Links Manager | 35 | 188 | 121 | 10k+ | Output is not escaped | ||
| #1704 | SEO Slider | 35 | 242 | 17 | 1k+ | Text Domain Mismatch | ||
| #1705 | Shop Page WP | 35 | 68 | 23 | 3k+ | Unsafe printing function | ||
| #1706 | Shopkeeper Extender | 35 | 14 | 26 | 5k+ | Missing Version | ||
| #1707 | Product Feed for Google Shopping, Microsoft Advertising and 40+ Channels for WooCommerce Merchant | 35 | 83 | 76 | 2k+ | Output is not escaped | ||
| #1708 | Shortcake (Shortcode UI) | 35 | 9 | 39 | 10k+ | Request data is not unslashed | ||
| #1709 | Simple CAPTCHA with Cloudflare Turnstile | 35 | 82 | 148 | 100k+ | Output is not escaped | ||
| #1710 | Simple Header Footer HTML | 35 | 30 | 5 | 3k+ | Output is not escaped | ||
| #1711 | Simple Image Sizes | 35 | 53 | 75 | 60k+ | Unsafe printing function | ||
| #1712 | Simple Map | 35 | 10 | 1 | 10k+ | Output is not escaped | ||
| #1713 | Simple Yearly Archive | 35 | 102 | 36 | 6k+ | Unsafe printing function | ||
| #1714 | Simple YouTube Responsive | 35 | 75 | 8 | 3k+ | wp function not compatible with requires wp | ||
| #1715 | SimpleTOC – Table of Contents Block | 35 | 10 | 0 | 10k+ | Setting is missing a sanitization callback | ||
| #1716 | SiteGround Migrator | 35 | 113 | 74 | 70k+ | Missing Arg Domain | ||
| #1717 | Sitekit | 35 | 122 | 8 | 3k+ | Output is not escaped | ||
| #1718 | Sky Login Redirect | 35 | 7 | 24 | 2k+ | Non-prefixed hook name | ||
| #1719 | Slick Slider | 35 | 36 | 9 | 2k+ | Output is not escaped | ||
| #1720 | SiteOrigin CSS | 35 | 61 | 84 | 100k+ | Not In Footer | ||
| #1721 | WPZOOM Connect: Social Icons Widget, Share Buttons & Click to Chat | 35 | 28 | 31 | 100k+ | Input is not sanitized | ||
| #1722 | Quiz Maker, Poll Maker & Survey Maker by Opinion Stage | 35 | 42 | 32 | 6k+ | Output is not escaped | ||
| #1723 | Sold Out Badge for WooCommerce | 35 | 5 | 4 | 8k+ | Output is not escaped | ||
| #1724 | Solid Performance – Your No-Code Caching, Performance, & Page Speed Solution | 35 | 75 | 61 | 4k+ | Exception output is not escaped | ||
| #1725 | Speedy Page Redirect | 35 | 6 | 10 | 1k+ | Output is not escaped | ||
| #1726 | Spreadshop Plugin | 35 | 145 | 44 | 4k+ | wp function not compatible with requires wp | ||
| #1727 | SSL Insecure Content Fixer | 35 | 28 | 60 | 100k+ | Input is not sanitized | ||
| #1728 | Stars Testimonials — Responsive Reviews & Star Ratings | 35 | 29 | 253 | 1k+ | Non-prefixed global variable | ||
| #1729 | Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons | 35 | 33 | 293 | 10k+ | Non-prefixed global variable | ||
| #1730 | String locator | 35 | 52 | 319 | 100k+ | Non-prefixed global variable | ||
| #1731 | SumUp Payment Gateway For WooCommerce | 35 | 29 | 59 | 10k+ | Nonce verification recommended | ||
| #1732 | TC Custom JavaScript | 35 | 19 | 26 | 10k+ | Missing Version | ||
| #1733 | Team Showcase – Responsive Team Members Grid, Slider & Carousel Plugin | 35 | 1,000 | 410 | 2k+ | Text Domain Mismatch | ||
| #1734 | Starter Sites & Templates by Neve | 35 | 28 | 88 | 100k+ | Non-prefixed hook name | ||
| #1735 | Termageddon: Cookie Consent & Privacy Compliance | 35 | 28 | 13 | 7k+ | Exception output is not escaped | ||
| #1736 | The Social Links | 35 | 16 | 29 | 2k+ | Non-prefixed global variable | ||
| #1737 | Theme Blvd Layout Builder | 35 | 207 | 169 | 2k+ | Output is not escaped | ||
| #1738 | Themify Icons | 35 | 33 | 12 | 3k+ | Output is not escaped | ||
| #1739 | Themify Shortcodes | 35 | 36 | 16 | 8k+ | Output is not escaped | ||
| #1740 | TinyMCE Templates | 35 | 41 | 27 | 20k+ | Text Domain Mismatch | ||
| #1741 | Tockify Events Calendar | 35 | 35 | 12 | 2k+ | Output is not escaped | ||
| #1742 | TS Webfonts for さくらのレンタルサーバ | 35 | 183 | 100 | 30k+ | Missing Arg Domain | ||
| #1743 | Two Factor Authentication | 35 | 108 | 139 | 20k+ | Output is not escaped | ||
| #1744 | Ultimate Post List | 35 | 186 | 84 | 2k+ | Missing Arg Domain | ||
| #1745 | Use Google Libraries | 35 | 13 | 5 | 10k+ | Hidden files included | ||
| #1746 | User Photo | 35 | 112 | 68 | 3k+ | Output is not escaped | ||
| #1747 | Embed videos and respect privacy | 35 | 6 | 11 | 2k+ | Non-prefixed global variable | ||
| #1748 | VK Post Author Display | 35 | 87 | 111 | 10k+ | Non-prefixed function | ||
| #1749 | Void Elementor Post Grid Addon for Elementor Page builder | 35 | 189 | 93 | 3k+ | Text Domain Mismatch | ||
| #1750 | W4 Post List | 35 | 50 | 138 | 3k+ | Non-prefixed global variable |
