WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1951 | Live Sales Notification (Recent Sales Popups) | 33 | 114 | 120 | 400 | SQL query is not prepared | ||
| #1952 | Save as PDF Plugin by PDFCrowd | 33 | 299 | 254 | 1k+ | Non-prefixed global variable | ||
| #1953 | Schema & Structured Data for WP & AMP | 33 | 63 | 246 | 100k+ | Non-prefixed global variable | ||
| #1954 | Service Box – Icon Box Showcase | 33 | 385 | 230 | 3k+ | Non Singular String Literal Domain | ||
| #1955 | Sessions | 33 | 196 | 103 | 900 | Output is not escaped | ||
| #1956 | TaxCloud for WooCommerce | 33 | 23 | 261 | 500 | Non-prefixed function | ||
| #1957 | Slider Path for Elementor | 33 | 329 | 100 | 700 | Text Domain Mismatch | ||
| #1958 | SMTP2GO for WordPress – Email Made Easy | 33 | 186 | 111 | 30k+ | Output is not escaped | ||
| #1959 | Social Rocket – Social Sharing Plugin | 33 | 1,016 | 255 | 1k+ | Unsafe printing function | ||
| #1960 | Spiffy Calendar | 33 | 473 | 243 | 3k+ | Output is not escaped | ||
| #1961 | Spin Wheel – Interactive spinning wheel that offers coupons | 33 | 680 | 313 | 500 | Unsafe printing function | ||
| #1962 | Simple Sticky Add To Cart For WooCommerce | 33 | 401 | 70 | 900 | Text Domain Mismatch | ||
| #1963 | Gravity Booster – Styles & Layouts for Gravity Forms | 33 | 277 | 87 | 40k+ | Missing Arg Domain | ||
| #1964 | Sublanguage | 33 | 266 | 287 | 700 | Output is not escaped | ||
| #1965 | Telegram Bot & Channel | 33 | 182 | 113 | 600 | Unsafe printing function | ||
| #1966 | Testimonial Slider – Free Testimonials Slider Plugin | 33 | 91 | 50 | 700 | Request data is not unslashed | ||
| #1967 | Envato Toolkit | 33 | 219 | 69 | 5k+ | Output is not escaped | ||
| #1968 | TP Education | 33 | 186 | 303 | 800 | Unsafe printing function | ||
| #1969 | TrackingMore Order Tracking for WooCommerce (Free plan available) | 33 | 94 | 124 | 700 | Text Domain Mismatch | ||
| #1970 | WP Twitter Auto Publish | 33 | 442 | 171 | 4k+ | Output is not escaped | ||
| #1971 | Uix Shortcodes | 33 | 246 | 444 | 400 | Non-prefixed global variable | ||
| #1972 | Display Posts As List, Grid, Thumbs | 33 | 442 | 241 | 900 | Output is not escaped | ||
| #1973 | Variation Swatches for WooCommerce | 33 | 469 | 116 | 50k+ | Text Domain Mismatch | ||
| #1974 | Multi-Carrier EasyPost Shipping Methods & Address Validation for WooCommerce | 33 | 424 | 69 | 400 | Non Singular String Literal Domain | ||
| #1975 | Multi-Carrier Shippo Shipping Rates & Address Validation for WooCommerce | 33 | 411 | 73 | 3k+ | Non Singular String Literal Domain | ||
| #1976 | Webmention | 33 | 64 | 89 | 900 | Output is not escaped | ||
| #1977 | Website Monetization by MageNet | 33 | 60 | 87 | 20k+ | Output is not escaped | ||
| #1978 | Textmetrics | 33 | 324 | 163 | 400 | Output is not escaped | ||
| #1979 | White Label CMS | 33 | 412 | 202 | 200k+ | Unsafe printing function | ||
| #1980 | Rich Showcase for Google Reviews | 33 | 213 | 278 | 100k+ | Output is not escaped | ||
| #1981 | Wonder Slider Lite | 33 | 273 | 187 | 8k+ | Output is not escaped | ||
| #1982 | Product Addons for Woocommerce – Product Options with Custom Fields | 33 | 124 | 114 | 30k+ | Output is not escaped | ||
| #1983 | Min Max Control – Min Max Quantity & Step Control for WooCommerce | 33 | 96 | 215 | 10k+ | Non-prefixed global variable | ||
| #1984 | Hyyan WooCommerce Polylang Integration | 33 | 141 | 220 | 8k+ | Nonce verification recommended | ||
| #1985 | CartBounty – Save and recover abandoned carts for WooCommerce | 33 | 370 | 399 | 10k+ | Output is not escaped | ||
| #1986 | Pay. Payment Methods for WooCommerce | 33 | 318 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #1987 | PDF Invoices Italian Add-on for WooCommerce | 33 | 325 | 200 | 5k+ | Non Singular String Literal Domain | ||
| #1988 | WOW Slider | 33 | 176 | 101 | 3k+ | Output is not escaped | ||
| #1989 | Books Gallery – Book Showcase, Library & Affiliate Plugin | 33 | 1,753 | 178 | 2k+ | Output is not escaped | ||
| #1990 | WP Edit | 33 | 337 | 137 | 40k+ | Unsafe printing function | ||
| #1991 | WP EXtra – One Click Optimize | 33 | 414 | 101 | 7k+ | Missing Arg Domain | ||
| #1992 | WP Social AutoConnect | 33 | 290 | 144 | 400 | Output is not escaped | ||
| #1993 | Connector for Gravity Forms and Google Sheets | 33 | 692 | 155 | 3k+ | Text Domain Mismatch | ||
| #1994 | EasyMedia – Increase Media Upload File Size | Role-Based Upload Limit | Increase Execution Time | 33 | 82 | 138 | 70k+ | Non-prefixed global variable | ||
| #1995 | WebToffee WP Backup and Migration | 33 | 132 | 222 | 5k+ | Non-prefixed global variable | ||
| #1996 | WP MyLinks | 33 | 354 | 206 | 1k+ | Text Domain Mismatch | ||
| #1997 | WP Theme Optimizer | 33 | 388 | 80 | 400 | Output is not escaped | ||
| #1998 | WP-UserOnline | 33 | 111 | 161 | 10k+ | Output is not escaped | ||
| #1999 | Editor Blocks by Download Manager | 33 | 174 | 102 | 5k+ | Output is not escaped | ||
| #2000 | WPoperation Elementor Addons | 33 | 891 | 52 | 1k+ | Text Domain Mismatch |