WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1901 | EchBay Phonering Alo | 33 | 74 | 47 | 1k+ | Output is not escaped | ||
| #1902 | Echelon Widgets for SiteOrigin | 33 | 667 | 5 | 900 | Output is not escaped | ||
| #1903 | Human Presence – Stop Form Spam Without ReCaptcha | 33 | 54 | 65 | 1k+ | Request data is not unslashed | ||
| #1904 | Fastly | 33 | 221 | 66 | 1k+ | Text Domain Mismatch | ||
| #1905 | FastPixel Cache – Optimize Page Speed: Compress Images, Minify, Clean Database & CDN | 33 | 51 | 333 | 4k+ | Request data is not unslashed | ||
| #1906 | FooGallery Migrate | 33 | 83 | 205 | 1k+ | Non-prefixed global variable | ||
| #1907 | Gallery Custom Links | 33 | 64 | 62 | 30k+ | Non Singular String Literal Domain | ||
| #1908 | GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice for CCPA, EU Cookie Law | 33 | 48 | 370 | 300k+ | Non-prefixed global variable | ||
| #1909 | Geliver Akıllı Kargo Pazaryeri | 33 | 46 | 248 | 400 | Non-prefixed global variable | ||
| #1910 | GetResponse Forms by Optin Cat | 33 | 68 | 138 | 1k+ | Missing direct file access protection | ||
| #1911 | WP GIF Uploader | 33 | 117 | 44 | 1k+ | Text Domain Mismatch | ||
| #1912 | Five Star Restaurant Reviews | 33 | 242 | 142 | 400 | Output is not escaped | ||
| #1913 | Gravity Forms Eway | 33 | 519 | 45 | 500 | Missing Translators Comment | ||
| #1914 | GSheetConnector for Forminator Forms | 33 | 128 | 201 | 1k+ | Non-prefixed global variable | ||
| #1915 | Mentions légales [FR] | 33 | 238 | 48 | 2k+ | Text Domain Mismatch | ||
| #1916 | Flipbox – Awesomes Flip Boxes Image Overlay | 33 | 400 | 7,279 | 10k+ | Input is not validated | ||
| #1917 | Image Source Control Lite – Show Image Credits and Captions | 33 | 140 | 221 | 3k+ | Non-prefixed hook name | ||
| #1918 | ImageLinks – Interactive Image Builder with Hotspots | 33 | 517 | 90 | 1k+ | Text Domain Mismatch | ||
| #1919 | Inactive User Deleter | 33 | 453 | 170 | 800 | Output is not escaped | ||
| #1920 | InPost Gallery | 33 | 105 | 245 | 800 | Non-prefixed global variable | ||
| #1921 | WPZOOM Social Feed Widget & Block | 33 | 310 | 278 | 60k+ | Unsafe printing function | ||
| #1922 | Intagrate Lite | 33 | 94 | 152 | 4k+ | date date | ||
| #1923 | IP2Location Redirection | 33 | 194 | 115 | 7k+ | Output is not escaped | ||
| #1924 | IssueM | 33 | 56 | 173 | 600 | Request data is not unslashed | ||
| #1925 | ITRO Popup Plugin | 33 | 591 | 135 | 6k+ | Output is not escaped | ||
| #1926 | Janolaw AGB Hosting | 33 | 198 | 11 | 1k+ | Short PHP open tag found | ||
| #1927 | JetWidgets for Elementor and WooCommerce | 33 | 187 | 146 | 8k+ | Text Domain Mismatch | ||
| #1928 | jQuery Manager for WordPress | 33 | 86 | 24 | 7k+ | Output is not escaped | ||
| #1929 | Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid | 33 | 274 | 106 | 3k+ | Text Domain Mismatch | ||
| #1930 | LWSCache | 33 | 47 | 104 | 6k+ | Non-prefixed global variable | ||
| #1931 | Forms for Mailchimp by Optin Cat – Grow Your MailChimp List | 33 | 71 | 133 | 2k+ | Missing direct file access protection | ||
| #1932 | MailUp for WordPress – Email and Newsletter Subscription Form | 33 | 251 | 100 | 2k+ | Text Domain Mismatch | ||
| #1933 | MAS Companies For WP Job Manager | 33 | 62 | 308 | 1k+ | Non-prefixed hook name | ||
| #1934 | Members – Membership & User Role Editor Plugin | 33 | 234 | 244 | 300k+ | Output is not escaped | ||
| #1935 | Merge + Minify + Refresh | 33 | 78 | 26 | 4k+ | date date | ||
| #1936 | Mollie Payments for WooCommerce | 33 | 70 | 123 | 100k+ | Dynamic hook name | ||
| #1937 | Molongui Post Contributors: Multi-Role Contributor Attribution | 33 | 240 | 162 | 400 | Output is not escaped | ||
| #1938 | More Types | 33 | 227 | 198 | 800 | Non-prefixed global variable | ||
| #1939 | MPL-Publisher — Ebook & Audiobook Creator | 33 | 489 | 76 | 800 | Text Domain Mismatch | ||
| #1940 | Newebpay Payment | 33 | 146 | 115 | 600 | Text Domain Mismatch | ||
| #1941 | News Announcement Scroll | 33 | 237 | 259 | 2k+ | Non-prefixed global variable | ||
| #1942 | GDPR CCPA Compliance & Cookie Consent Banner | 33 | 622 | 87 | 1k+ | Non Singular String Literal Domain | ||
| #1943 | Nomad World Map | 33 | 424 | 191 | 700 | Text Domain Mismatch | ||
| #1944 | Notification Master – Real-Time WordPress Notifications With Email, SMS, Webhooks & More | 33 | 293 | 215 | 1k+ | Text Domain Mismatch | ||
| #1945 | Offen | 33 | 313 | 115 | 500 | Output is not escaped | ||
| #1946 | Pastacode | 33 | 77 | 66 | 400 | Non-prefixed global variable | ||
| #1947 | Payflex Payment Gateway | 33 | 181 | 61 | 1k+ | Text Domain Mismatch | ||
| #1948 | PeproDev WooCommerce Receipt Uploader | 33 | 325 | 49 | 1k+ | Non Singular String Literal Domain | ||
| #1949 | Picture Gallery – Frontend Image Uploads, AJAX Photo List | 33 | 112 | 150 | 400 | Request data is not unslashed | ||
| #1950 | Pixelgrade Assistant | 33 | 665 | 141 | 2k+ | Text Domain Mismatch |
