WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1751 | Better Recent Comments | 35 | 127 | 29 | 2k+ | Text Domain Mismatch | ||
| #1752 | Lord of the Files: Enhanced Upload Security | 35 | 62 | 42 | 1k+ | Non-prefixed global variable | ||
| #1753 | Gutenberg Block for WooCommerce Product Table | 35 | 14 | 4 | 3k+ | Hidden files included | ||
| #1754 | Block Manager | 35 | 33 | 26 | 4k+ | Text Domain Mismatch | ||
| #1755 | BlossomThemes Toolkit | 35 | 347 | 52 | 30k+ | Output is not escaped | ||
| #1756 | Tooltipy (tooltips for WP) | 35 | 370 | 125 | 1k+ | Text Domain Mismatch | ||
| #1757 | Bootstrap for Contact Form 7 | 35 | 35 | 73 | 10k+ | Nonce verification recommended | ||
| #1758 | Custom Order Status Manager for WooCommerce | 35 | 630 | 67 | 30k+ | Text Domain Mismatch | ||
| #1759 | Registration Options for BuddyPress | 35 | 47 | 132 | 1k+ | Non-prefixed function | ||
| #1760 | Brozzme DB Prefix & Tools Addons | 35 | 24 | 42 | 9k+ | Request data is not unslashed | ||
| #1761 | BSK Forms Blacklist | 35 | 831 | 550 | 1k+ | Output is not escaped | ||
| #1762 | BTCPay Server – Accept Bitcoin payments in WooCommerce | 35 | 48 | 86 | 1k+ | Missing nonce verification | ||
| #1763 | BugHerd | 35 | 8 | 2 | 3k+ | Output is not escaped | ||
| #1764 | Business Hours Indicator | 35 | 139 | 106 | 8k+ | Alternative PHP tag found | ||
| #1765 | C3 Cloudfront Cache Controller | 35 | 109 | 60 | 3k+ | Non Singular String Literal Domain | ||
| #1766 | Cache Enabler | 35 | 44 | 75 | 90k+ | Input is not sanitized | ||
| #1767 | CF7 Submissions – Securely Store Contact Form 7 Data and Attachments, Reply to the Sender and more | 35 | 16 | 119 | 2k+ | Non-prefixed global variable | ||
| #1768 | Popup for CF7 with Sweet Alert | 35 | 26 | 12 | 2k+ | Text Domain Mismatch | ||
| #1769 | CF7 Views – Complete Entry Management for Contact Form 7 | 35 | 172 | 181 | 1k+ | Output is not escaped | ||
| #1770 | Change Quantity on Checkout for WooCommerce | 35 | 270 | 32 | 4k+ | wp function not compatible with requires wp | ||
| #1771 | CiviCRM Admin Utilities | 35 | 19 | 87 | 1k+ | Non-prefixed hook name | ||
| #1772 | Cloudflare | 35 | 27 | 85 | 200k+ | Non-prefixed namespace | ||
| #1773 | Flexible SSL for CloudFlare | 35 | 9 | 6 | 100k+ | Output is not escaped | ||
| #1774 | CompressX — AVIF & WebP Converter, Media Replacement | 35 | 26 | 423 | 40k+ | Missing nonce verification | ||
| #1775 | Conditional Menus | 35 | 92 | 28 | 60k+ | Text Domain Mismatch | ||
| #1776 | Conditional Widgets | 35 | 67 | 33 | 7k+ | Output is not escaped | ||
| #1777 | Content Mask | 35 | 50 | 350 | 1k+ | Non-prefixed global variable | ||
| #1778 | GDPR Cookie Consent Notice Box | 35 | 46 | 17 | 1k+ | Output is not escaped | ||
| #1779 | Cookie Information – Cookie Banner with Consent Mode v2 | 35 | 185 | 28 | 2k+ | Output is not escaped | ||
| #1780 | Cookie-Script.com | 35 | 6 | 7 | 10k+ | Non-prefixed class | ||
| #1781 | Cookies and Content Security Policy | 35 | 261 | 412 | 10k+ | Output is not escaped | ||
| #1782 | Core Framework | 35 | 70 | 62 | 10k+ | Text Domain Mismatch | ||
| #1783 | Counter live visitors for WooCommerce | 35 | 189 | 39 | 10k+ | Short PHP open tag found | ||
| #1784 | Create Block Theme | 35 | 43 | 5 | 20k+ | unlink unlink | ||
| #1785 | CrowdSec | 35 | 130 | 119 | 2k+ | Output is not escaped | ||
| #1786 | CubeWP Framework | 35 | 114 | 71 | 4k+ | wp function not compatible with requires wp | ||
| #1787 | Cue by AudioTheme.com | 35 | 28 | 150 | 6k+ | Non-prefixed hook name | ||
| #1788 | Custom 404 Pro | 35 | 50 | 27 | 7k+ | wp function not compatible with requires wp | ||
| #1789 | Custom CSS and JavaScript | 35 | 38 | 91 | 10k+ | Input is not sanitized | ||
| #1790 | Custom Order Status for WooCommerce | 35 | 20 | 60 | 10k+ | Non-prefixed hook name | ||
| #1791 | Custom Post Type Maker | 35 | 240 | 86 | 6k+ | Unsafe printing function | ||
| #1792 | Customizer Backup & Reset | 35 | 8 | 10 | 7k+ | Output is not escaped | ||
| #1793 | Datafeedr Product Sets | 35 | 602 | 206 | 5k+ | Output is not escaped | ||
| #1794 | Deposits & Partial Payments for WooCommerce | 35 | 172 | 144 | 5k+ | Text Domain Mismatch | ||
| #1795 | Nexi Checkout | 35 | 45 | 308 | 3k+ | Dynamic hook name | ||
| #1796 | PiWeb Disable payment method / Partial payment for WooCommerce | 35 | 55 | 221 | 4k+ | Non-prefixed class | ||
| #1797 | Disable and Remove Google Fonts | GDPR & DSGVO friendly | 35 | 21 | 8 | 100k+ | Missing Translators Comment | ||
| #1798 | Disable XML-RPC-API | 35 | 444 | 52 | 100k+ | Text Domain Mismatch | ||
| #1799 | Disk Usage Sunburst | 35 | 30 | 34 | 9k+ | Output is not escaped | ||
| #1800 | Potent Donations for WooCommerce | 35 | 14 | 25 | 2k+ | Missing nonce verification |
