WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2151 | MailerLite – WooCommerce integration | 34 | 65 | 36 | 30k+ | Output is not escaped | ||
| #2152 | PostNL for WooCommerce | 34 | 597 | 104 | 3k+ | Text Domain Mismatch | ||
| #2153 | Simple Discount Rules for Woocommerce | 34 | 175 | 214 | 4k+ | Nonce verification recommended | ||
| #2154 | Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin | 34 | 230 | 154 | 2k+ | Output is not escaped | ||
| #2155 | Advanced Free Shipping for WooCommerce | 34 | 270 | 132 | 40k+ | Text Domain Mismatch | ||
| #2156 | Digital Signature Add-on for WooCommerce | 34 | 165 | 76 | 1k+ | Text Domain Mismatch | ||
| #2157 | Product Tabs for WooCommerce | 34 | 196 | 93 | 10k+ | Text Domain Mismatch | ||
| #2158 | Woopra Analytics Plugin | 34 | 114 | 53 | 900 | Output is not escaped | ||
| #2159 | WP-Cron Status Checker | 34 | 277 | 111 | 5k+ | Text Domain Mismatch | ||
| #2160 | WP Custom Admin Interface | 34 | 263 | 118 | 30k+ | Unsafe printing function | ||
| #2161 | Wp Default Sender Email by IT Pixelz | 34 | 682 | 25 | 500 | Output is not escaped | ||
| #2162 | WP Dummy Content Generator | 34 | 93 | 130 | 6k+ | Output is not escaped | ||
| #2163 | WP Dynamic Keywords Injector | 34 | 44 | 205 | 1k+ | Nonce verification recommended | ||
| #2164 | WP Forms Signature Contract Add-On | 34 | 128 | 35 | 900 | Text Domain Mismatch | ||
| #2165 | Insert Headers And Footers | 34 | 83 | 113 | 300k+ | Non-prefixed global variable | ||
| #2166 | Email Template Designer – WP HTML Mail | 34 | 62 | 80 | 20k+ | badly named files | ||
| #2167 | WP LinkedIn Auto Publish | 34 | 165 | 56 | 8k+ | Output is not escaped | ||
| #2168 | WP Mail Logging | 34 | 76 | 258 | 300k+ | Nonce verification recommended | ||
| #2169 | WP Maintenance | 34 | 40 | 217 | 60k+ | Non-prefixed global variable | ||
| #2170 | LightStart – Maintenance Mode, Coming Soon and Landing Page Builder | 34 | 42 | 312 | 400k+ | Request data is not unslashed | ||
| #2171 | WP Notes Widget | 34 | 217 | 36 | 700 | Output is not escaped | ||
| #2172 | WP Popup Builder – Popup Forms and Marketing Lead Generation | 34 | 357 | 143 | 3k+ | Text Domain Mismatch | ||
| #2173 | WP Random Post Thumbnails | 34 | 420 | 26 | 1k+ | Text Domain Mismatch | ||
| #2174 | Thumbnail Slider With Lightbox | 34 | 244 | 141 | 700 | Output is not escaped | ||
| #2175 | Thumbnail carousel slider | 34 | 277 | 143 | 2k+ | Output is not escaped | ||
| #2176 | WP-SCSS | 34 | 269 | 13 | 40k+ | Exception output is not escaped | ||
| #2177 | WP SendFox | 34 | 296 | 118 | 1k+ | Text Domain Mismatch | ||
| #2178 | WP Subscription Forms – Subscription Form Plugin for WordPress | 34 | 131 | 220 | 400 | Non-prefixed global variable | ||
| #2179 | WP Twitter Feeds | 34 | 202 | 82 | 2k+ | Output is not escaped | ||
| #2180 | WP Ultimate Post Grid | 34 | 114 | 74 | 4k+ | Missing direct file access protection | ||
| #2181 | Vertical Image Slider | 34 | 264 | 138 | 1k+ | Output is not escaped | ||
| #2182 | Live Visitor Counter | 34 | 108 | 114 | 4k+ | Interpolated SQL is not prepared | ||
| #2183 | Wp Favs – Plugin Manager | 34 | 238 | 153 | 3k+ | Text Domain Mismatch | ||
| #2184 | WPLMS MyCred AddOn | 34 | 383 | 73 | 800 | Text Domain Mismatch | ||
| #2185 | Xml Sitemap Generator | 34 | 72 | 47 | 400 | SQL query is not prepared | ||
| #2186 | YourChannel: Everything you want in a YouTube plugin. | 34 | 262 | 115 | 10k+ | Text Domain Mismatch | ||
| #2187 | Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades | 34 | 571 | 195 | 100k+ | Output is not escaped | ||
| #2188 | Zero Spam for WordPress | 34 | 79 | 393 | 20k+ | Non-prefixed global variable | ||
| #2189 | zipMoney(Zip Co) Payments Plugin for WooCommerce | 34 | 147 | 70 | 2k+ | Text Domain Mismatch | ||
| #2190 | Absolute Addons For Elementor | 35 | 86 | 286 | 400 | Non-prefixed global variable | ||
| #2191 | ACF Color Swatches | 35 | 50 | 21 | 1k+ | Text Domain Mismatch | ||
| #2192 | Advanced Custom Fields : CPT Options Pages | 35 | 37 | 11 | 2k+ | Output is not escaped | ||
| #2193 | ACF: Focal Point | 35 | 61 | 6 | 400 | Text Domain Mismatch | ||
| #2194 | Advanced Custom Fields: Image Aspect Ratio Crop Field | 35 | 70 | 37 | 20k+ | Text Domain Mismatch | ||
| #2195 | ACF: Image Hotspots Field | 35 | 26 | 5 | 2k+ | Text Domain Mismatch | ||
| #2196 | ACF OpenStreetMap Field | 35 | 40 | 46 | 9k+ | Non-prefixed global variable | ||
| #2197 | Ad Widget for WordPress | 35 | 68 | 14 | 2k+ | Output is not escaped | ||
| #2198 | Add to Calendar Button | 35 | 31 | 9 | 3k+ | Output is not escaped | ||
| #2199 | Admin Color Schemer | 35 | 166 | 20 | 1k+ | Exception output is not escaped | ||
| #2200 | AdPlugg WordPress Ad Plugin | 35 | 58 | 17 | 500 | Missing direct file access protection |