WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2001WPReplace内容字符替换插件33209195800Non Singular String Literal Domain
#2002XML Sitemaps3365622k+Output is not escaped
#2003Video Gallery – YouTube Playlist, Channel Gallery by YotuWP3327810120k+Missing Arg Domain
#2004Zita Site Library for Elementor331071351k+Text Domain Mismatch
#2005AFS Analytics3419498600Text Domain Mismatch
#2006Advanced Custom Fields: reCAPTCHA Field3410453800Text Domain Mismatch
#2007Advanced Shipping Validation for WooCommerce34331127400Text Domain Mismatch
#2008Advanced Twenty Seventeen34247983k+Text Domain Mismatch
#2009affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display34326752k+Output is not escaped
#2010AGCA – Custom Dashboard & Login Page343504420k+Unsafe printing function
#2011All In One Favicon342146260k+Output is not escaped
#2012All-in-One WP Migration and Backup3447695m+Missing nonce verification
#2013Arconix Shortcodes341291084k+Output is not escaped
#2014Assistant – Every Day Productivity Apps34124974k+Exception output is not escaped
#2015Audit Trail349010710k+Unsafe printing function
#2016Automatic YouTube Gallery – Embed Auto-Updating YouTube Video Galleries, Feeds, Playlists & Channels34862559k+Direct Query
#2017AyeCode Connect3417825310k+Nonce verification recommended
#2018Bayarcash WooCommerce34148138700Non Singular String Literal Domain
#2019Beeketing for WooCommerce – Marketing Automation to Boost Sales34113123600SQL query is not prepared
#2020Blog-in-Blog346493800Non-prefixed function
#2021BoldGrid Easy SEO – Simple and Effective SEO3414910440k+Text Domain Mismatch
#2022Buckets346876500Output is not escaped
#2023BuddyPress & BuddyBoss Member Profile Forms34154121400Text Domain Mismatch
#2024Cache Master3437127400Output is not escaped
#2025SMS Abandoned Cart Recovery ✦ CartBoss346772400SQL query is not prepared
#2026Checkout Field Editor for WooCommerce – Checkout Manager341226420k+Text Domain Mismatch
#2027Clean Testimonials3412787400Output is not escaped
#2028CM Search And Replace – Optimize content edits with a powerful search and replace tool342861112k+Output is not escaped
#2029Contact Form 7 – PayPal & Stripe Add-on34932337k+Exception output is not escaped
#2030Cornerstone3416117430k+Nonce verification recommended
#2031CSS JS Manager, Async JavaScript, Defer Render Blocking CSS34761061k+Input is not validated
#2032Custom Login Page by SeedProd34330125500Output is not escaped
#2033Custom Post Type Attachment3415349800wp function not compatible with requires wp
#2034Datafeedr API34307486k+Output is not escaped
#2035DD Last Viewed34193132500Output is not escaped
#2036Debug Log Manager Tool34441433k+Nonce verification recommended
#2037Document Library Lite34149854k+Text Domain Mismatch
#2038Download After Email – Subscribe & Download Form Plugin34223567k+Input is not validated
#2039Dr. Flex3483511k+Output is not escaped
#2040Delisho – Recipe Widgets and Blocks34603551k+Input is not sanitized
#2041Easy Social Sharing34162401k+Non-prefixed global variable
#2042EasyIndex34741351k+Missing nonce verification
#2043Einsatzverwaltung341521281k+Output is not escaped
#2044ECS – Ele Custom Skin for Elementor3499205100k+Text Domain Mismatch
#2045Enhanced Text Widget341015830k+Output is not escaped
#2046ePayco Plugin for WooCommerce341551363k+Text Domain Mismatch
#2047Essential Classy Addons for Elementor – 150+ Widgets, Templates & Performance Tools34278186500Output is not escaped
#2048Estimated Delivery for WooCommerce34301701k+Short PHP open tag found
#2049Event Calendar Newsletter3496167600Non-prefixed hook name
#2050Event Post34329991k+Output is not escaped