WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1851 | WPForms – AI Form Builder for WordPress – Contact Forms, Payment Forms, Survey Form, Quiz & More | 32 | 165 | 273 | 5m+ | Non-prefixed global variable | ||
| #1852 | WT GeoTargeting | 32 | 89 | 43 | 1k+ | Output is not escaped | ||
| #1853 | Dynamic XML Sitemaps Generator for Google | 32 | 74 | 411 | 20k+ | Non-prefixed global variable | ||
| #1854 | YITH Infinite Scrolling | 32 | 387 | 1,417 | 10k+ | Non-prefixed global variable | ||
| #1855 | YITH WooCommerce Badge Management | 32 | 413 | 1,446 | 10k+ | Non-prefixed global variable | ||
| #1856 | YITH WooCommerce Compare | 32 | 422 | 1,508 | 100k+ | Non-prefixed global variable | ||
| #1857 | YITH WooCommerce Quick View | 32 | 388 | 1,420 | 90k+ | Non-prefixed global variable | ||
| #1858 | Yoo Slider – Image Slider & Video Slider | 32 | 744 | 209 | 600 | Output is not escaped | ||
| #1859 | Advanced Custom Fields: Typography Field | 33 | 445 | 57 | 4k+ | Text Domain Mismatch | ||
| #1860 | Extra Product Options Builder for WooCommerce | 33 | 101 | 155 | 2k+ | Non-prefixed hook name | ||
| #1861 | Advanced Forms for ACF | 33 | 169 | 278 | 3k+ | Non-prefixed hook name | ||
| #1862 | Affiliate Program & Referral Tracking for WooCommerce & WordPress – Affilia | 33 | 80 | 172 | 500 | Nonce verification recommended | ||
| #1863 | Agile CRM | 33 | 163 | 81 | 600 | wp function not compatible with requires wp | ||
| #1864 | Archive Posts Sort Customize | 33 | 338 | 97 | 600 | Output is not escaped | ||
| #1865 | Arconix Shortcodes | 33 | 129 | 107 | 4k+ | Output is not escaped | ||
| #1866 | Auto Listings – Car Listings & Car Dealership Plugin for WordPress | 33 | 80 | 321 | 2k+ | Non-prefixed global variable | ||
| #1867 | Premium Portfolio Features for Phlox theme | 33 | 204 | 137 | 40k+ | Output is not escaped | ||
| #1868 | AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth | 33 | 33 | 229 | 9k+ | Non-prefixed global variable | ||
| #1869 | Awesome Widgets for SiteOrigin Page Builder | 33 | 314 | 59 | 500 | Text Domain Mismatch | ||
| #1870 | Background Per Page | 33 | 80 | 56 | 700 | Text Domain Mismatch | ||
| #1871 | Bayarcash WooCommerce | 33 | 149 | 138 | 700 | Non Singular String Literal Domain | ||
| #1872 | Ultimate Before After Image Slider & Gallery – BEAF | 33 | 488 | 87 | 30k+ | Text Domain Mismatch | ||
| #1873 | Bosta WooCommerce | 33 | 303 | 180 | 700 | Text Domain Mismatch | ||
| #1874 | Activity Plus Reloaded for BuddyPress | 33 | 88 | 93 | 1k+ | Output is not escaped | ||
| #1875 | Five Star Business Profile and Schema | 33 | 289 | 138 | 7k+ | Output is not escaped | ||
| #1876 | Addi – Cuotas que se adaptan a ti | 33 | 106 | 209 | 2k+ | Direct Query | ||
| #1877 | Cargus | 33 | 48 | 64 | 700 | Input is not sanitized | ||
| #1878 | Nexi XPay | 33 | 496 | 277 | 6k+ | Text Domain Mismatch | ||
| #1879 | CartPops – High Converting Add To Cart Popup For WooCommerce | 33 | 63 | 188 | 4k+ | Non-prefixed global variable | ||
| #1880 | CB Custom Beaver Builder Modules | 33 | 748 | 4 | 1k+ | Output is not escaped | ||
| #1881 | Century ToolKit | 33 | 118 | 78 | 800 | Output is not escaped | ||
| #1882 | Chartify – WordPress Chart Plugin | 33 | 76 | 411 | 3k+ | Non-prefixed global variable | ||
| #1883 | ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form | 33 | 57 | 204 | 1k+ | Non-prefixed global variable | ||
| #1884 | Civic Cookie Control | 33 | 1,881 | 219 | 2k+ | Text Domain Mismatch | ||
| #1885 | Clicky Analytics | 33 | 166 | 92 | 10k+ | Output is not escaped | ||
| #1886 | Companion Auto Update | 33 | 159 | 298 | 50k+ | Direct Query | ||
| #1887 | Companion Sitemap Generator – Simple, Smart, and SEO-Ready | 33 | 118 | 57 | 7k+ | Missing Translators Comment | ||
| #1888 | Conekta Payment Gateway | 33 | 240 | 61 | 2k+ | Text Domain Mismatch | ||
| #1889 | Contact Form Plugin | 33 | 47 | 220 | 2k+ | Non-prefixed function | ||
| #1890 | Contact List – Online Staff Directory & Address Book | 33 | 118 | 342 | 1k+ | Nonce verification recommended | ||
| #1891 | Chatbot with IBM watsonx Assistant | 33 | 324 | 83 | 400 | Non Singular String Literal Domain | ||
| #1892 | Countdown Timer | 33 | 311 | 17 | 900 | Text Domain Mismatch | ||
| #1893 | Chwazi – Delivery & Pickup Scheduling for WooCommerce | 33 | 563 | 192 | 600 | Text Domain Mismatch | ||
| #1894 | Device Detector | 33 | 209 | 112 | 600 | Output is not escaped | ||
| #1895 | DJ-Accessibility – Accessibility Plugin | 33 | 370 | 48 | 3k+ | Text Domain Mismatch | ||
| #1896 | Login & Register Customizer – Popup | Slider | Inline | WooCommerce | 33 | 265 | 230 | 40k+ | Output is not escaped | ||
| #1897 | Easy Timer | 33 | 78 | 450 | 1k+ | Non-prefixed global variable | ||
| #1898 | EchBay Phonering Alo | 33 | 74 | 47 | 1k+ | Output is not escaped | ||
| #1899 | Echelon Widgets for SiteOrigin | 33 | 667 | 5 | 900 | Output is not escaped | ||
| #1900 | Human Presence – Stop Form Spam Without ReCaptcha | 33 | 54 | 65 | 1k+ | Request data is not unslashed |
