WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2151MailerLite – WooCommerce integration34653630k+Output is not escaped
#2152PostNL for WooCommerce345971043k+Text Domain Mismatch
#2153Simple Discount Rules for Woocommerce341752144k+Nonce verification recommended
#2154Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin342301542k+Output is not escaped
#2155Advanced Free Shipping for WooCommerce3427013240k+Text Domain Mismatch
#2156Digital Signature Add-on for WooCommerce34165761k+Text Domain Mismatch
#2157Product Tabs for WooCommerce341969310k+Text Domain Mismatch
#2158Woopra Analytics Plugin3411453900Output is not escaped
#2159WP-Cron Status Checker342771115k+Text Domain Mismatch
#2160WP Custom Admin Interface3426311830k+Unsafe printing function
#2161Wp Default Sender Email by IT Pixelz3468225500Output is not escaped
#2162WP Dummy Content Generator34931306k+Output is not escaped
#2163WP Dynamic Keywords Injector34442051k+Nonce verification recommended
#2164WP Forms Signature Contract Add-On3412835900Text Domain Mismatch
#2165Insert Headers And Footers3483113300k+Non-prefixed global variable
#2166Email Template Designer – WP HTML Mail34628020k+badly named files
#2167WP LinkedIn Auto Publish34165568k+Output is not escaped
#2168WP Mail Logging3476258300k+Nonce verification recommended
#2169WP Maintenance344021760k+Non-prefixed global variable
#2170LightStart – Maintenance Mode, Coming Soon and Landing Page Builder3442312400k+Request data is not unslashed
#2171WP Notes Widget3421736700Output is not escaped
#2172WP Popup Builder – Popup Forms and Marketing Lead Generation343571433k+Text Domain Mismatch
#2173WP Random Post Thumbnails34420261k+Text Domain Mismatch
#2174Thumbnail Slider With Lightbox34244141700Output is not escaped
#2175Thumbnail carousel slider342771432k+Output is not escaped
#2176WP-SCSS342691340k+Exception output is not escaped
#2177WP SendFox342961181k+Text Domain Mismatch
#2178WP Subscription Forms – Subscription Form Plugin for WordPress34131220400Non-prefixed global variable
#2179WP Twitter Feeds34202822k+Output is not escaped
#2180WP Ultimate Post Grid34114744k+Missing direct file access protection
#2181Vertical Image Slider342641381k+Output is not escaped
#2182Live Visitor Counter341081144k+Interpolated SQL is not prepared
#2183Wp Favs – Plugin Manager342381533k+Text Domain Mismatch
#2184WPLMS MyCred AddOn3438373800Text Domain Mismatch
#2185Xml Sitemap Generator347247400SQL query is not prepared
#2186YourChannel: Everything you want in a YouTube plugin.3426211510k+Text Domain Mismatch
#2187Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades34571195100k+Output is not escaped
#2188Zero Spam for WordPress347939320k+Non-prefixed global variable
#2189zipMoney(Zip Co) Payments Plugin for WooCommerce34147702k+Text Domain Mismatch
#2190Absolute Addons For Elementor3586286400Non-prefixed global variable
#2191ACF Color Swatches3550211k+Text Domain Mismatch
#2192Advanced Custom Fields : CPT Options Pages3537112k+Output is not escaped
#2193ACF: Focal Point35616400Text Domain Mismatch
#2194Advanced Custom Fields: Image Aspect Ratio Crop Field35703720k+Text Domain Mismatch
#2195ACF: Image Hotspots Field352652k+Text Domain Mismatch
#2196ACF OpenStreetMap Field3540469k+Non-prefixed global variable
#2197Ad Widget for WordPress3568142k+Output is not escaped
#2198Add to Calendar Button353193k+Output is not escaped
#2199Admin Color Schemer35166201k+Exception output is not escaped
#2200AdPlugg WordPress Ad Plugin355817500Missing direct file access protection