WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1801 | Post and Page Builder by BoldGrid – Visual Drag and Drop Editor | 32 | 348 | 258 | 50k+ | Output is not escaped | ||
| #1802 | Posti Shipping | 32 | 664 | 157 | 1k+ | Text Domain Mismatch | ||
| #1803 | Volunteer Sign Up Sheets | 32 | 967 | 401 | 1k+ | Output is not escaped | ||
| #1804 | Payment Plugins for PayPal WooCommerce | 32 | 214 | 125 | 90k+ | Missing Translators Comment | ||
| #1805 | Quick Featured Images | 32 | 436 | 323 | 50k+ | Non-prefixed global variable | ||
| #1806 | Responsive Filterable Portfolio Gallery – Media Grid & Video Portfolio | 32 | 436 | 163 | 1k+ | Output is not escaped | ||
| #1807 | Restrict Usernames Emails Characters | 32 | 327 | 367 | 1k+ | Output is not escaped | ||
| #1808 | WowRevenue – Product Bundles & Bulk Discounts | 32 | 19 | 2,027 | 1k+ | Non-prefixed global variable | ||
| #1809 | Revolut Gateway for WooCommerce | 32 | 85 | 157 | 6k+ | Input is not sanitized | ||
| #1810 | RSS for Yandex Turbo | 32 | 687 | 307 | 20k+ | Unsafe printing function | ||
| #1811 | Shariff Wrapper | 32 | 33 | 404 | 30k+ | Non-prefixed global variable | ||
| #1812 | Showcase IDX Real Estate Search & Lead Capture | 32 | 123 | 52 | 2k+ | Output is not escaped | ||
| #1813 | Simple Ajax Chat – Add a Fast, Secure Chat Box | 32 | 108 | 266 | 2k+ | Output is not escaped | ||
| #1814 | Site Search 360 | 32 | 204 | 230 | 400 | Output is not escaped | ||
| #1815 | Sky Addons for Elementor | 32 | 85 | 351 | 2k+ | Non-prefixed namespace | ||
| #1816 | Split Test For Elementor | 32 | 98 | 132 | 3k+ | Non-prefixed global variable | ||
| #1817 | Spoki – Chat Buttons and WooCommerce Notifications | 32 | 1,074 | 260 | 700 | Unsafe printing function | ||
| #1818 | Stock Locations for WooCommerce | 32 | 548 | 360 | 1k+ | Output is not escaped | ||
| #1819 | Stock Sync for WooCommerce | 32 | 362 | 232 | 1k+ | Text Domain Mismatch | ||
| #1820 | Subscribe2 – Form, Email Subscribers & Newsletters | 32 | 32 | 410 | 10k+ | Direct Query | ||
| #1821 | System Dashboard | 32 | 91 | 205 | 1k+ | Request data is not unslashed | ||
| #1822 | Tainacan Support for Blocksy | 32 | 244 | 526 | 500 | Non-prefixed global variable | ||
| #1823 | Theme My Login | 32 | 251 | 549 | 60k+ | Non-prefixed function | ||
| #1824 | Thrive Automator | 32 | 84 | 84 | 10k+ | SQL query is not prepared | ||
| #1825 | TK Google Fonts GDPR Compliant | 32 | 582 | 34 | 1k+ | Output is not escaped | ||
| #1826 | Tumult Hype Animations | 32 | 56 | 117 | 1k+ | Output is not escaped | ||
| #1827 | UiCore Blocks – Free WordPress Gutenberg Blocks | 32 | 59 | 387 | 500 | Non-prefixed global variable | ||
| #1828 | Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor | 32 | 57 | 293 | 4k+ | Post Not In exclude | ||
| #1829 | Unbounce Landing Pages | 32 | 169 | 86 | 10k+ | Output is not escaped | ||
| #1830 | Secure Client Portal and Private File Sharing Plugin – User Private Files | 32 | 183 | 510 | 1k+ | Non-prefixed global variable | ||
| #1831 | Multi Currency For WooCommerce | 32 | 87 | 70 | 1k+ | Non-prefixed global variable | ||
| #1832 | Webdzier Companion | 32 | 539 | 89 | 800 | Text Domain Mismatch | ||
| #1833 | WebwinkelKeur: Webshop keurmerk & reviews for WordPress | 32 | 200 | 47 | 4k+ | Short PHP open tag found | ||
| #1834 | Management App for WooCommerce – Order notifications, Order management, Lead management, Uptime Monitoring | 32 | 196 | 160 | 900 | Text Domain Mismatch | ||
| #1835 | Easy 3D Viewer | 32 | 399 | 241 | 1k+ | Text Domain Mismatch | ||
| #1836 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | 32 | 5 | 933 | 40k+ | Non-prefixed global variable | ||
| #1837 | Sola Payment Gateway for WooCommerce | 32 | 112 | 115 | 700 | Missing Translators Comment | ||
| #1838 | Payment Gateway for Redsys & WooCommerce Lite | 32 | 125 | 75 | 20k+ | Text Domain Mismatch | ||
| #1839 | WooMS | 32 | 199 | 58 | 500 | Output is not escaped | ||
| #1840 | WP 2-step verification | 32 | 154 | 65 | 1k+ | Output is not escaped | ||
| #1841 | WP Bannerize Pro | 32 | 281 | 216 | 800 | Text Domain Mismatch | ||
| #1842 | WP fail2ban – Advanced Security | 32 | 75 | 153 | 60k+ | Dynamic hook name | ||
| #1843 | wp-jalali | 32 | 219 | 66 | 10k+ | Text Domain Mismatch | ||
| #1844 | WP Popup | 32 | 539 | 65 | 1k+ | Text Domain Mismatch | ||
| #1845 | SEOPress – AI SEO Plugin & On-site SEO | 32 | 138 | 429 | 300k+ | Non-prefixed global variable | ||
| #1846 | WP-Stats | 32 | 237 | 126 | 2k+ | Output is not escaped | ||
| #1847 | WP Weixin | 32 | 60 | 152 | 400 | Non-prefixed constant | ||
| #1848 | WPCasa – Real Estate for WordPress | 32 | 85 | 429 | 1k+ | Non-prefixed global variable | ||
| #1849 | wpDirAuth | 32 | 250 | 135 | 600 | wp function not compatible with requires wp | ||
| #1850 | WPForms – AI Form Builder for WordPress – Contact Forms, Payment Forms, Survey Form, Quiz & More | 32 | 165 | 273 | 5m+ | Non-prefixed global variable |
