WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2201 | Air WP Sync – Airtable to WordPress | 35 | 37 | 45 | 1k+ | Non-prefixed hook name | ||
| #2202 | Akismet Anti-spam: Spam Protection | 35 | 33 | 99 | 5m+ | Non-prefixed global variable | ||
| #2203 | AMIMOTO Plugin Dashboard | 35 | 82 | 82 | 900 | Non Singular String Literal Domain | ||
| #2204 | Amministrazione Trasparente | 35 | 80 | 46 | 1k+ | Output is not escaped | ||
| #2205 | AnsPress – Question and answer | 35 | 22 | 778 | 3k+ | Non-prefixed function | ||
| #2206 | Tuskcode Map Pro for Bing Maps | 35 | 59 | 359 | 600 | Direct Query | ||
| #2207 | AppMySite – WordPress & WooCommerce Mobile App Builder (No-Code Android & iOS App Maker) | 35 | 165 | 37 | 7k+ | Missing Arg Domain | ||
| #2208 | Aquila Admin Theme | 35 | 151 | 329 | 3k+ | Non-prefixed global variable | ||
| #2209 | Author Box WP Lens | 35 | 169 | 49 | 900 | Unsafe printing function | ||
| #2210 | Authors Widget | 35 | 170 | 19 | 1k+ | Output is not escaped | ||
| #2211 | Autocomplete For Relevanssi | 35 | 30 | 9 | 900 | Unsafe printing function | ||
| #2212 | Avif Express | 35 | 26 | 167 | 400 | Input is not validated | ||
| #2213 | Awin – Advertiser Tracking for WooCommerce | 35 | 46 | 39 | 1k+ | Non Singular String Literal Domain | ||
| #2214 | AXP Cyrillic to Latin | 35 | 21 | 3 | 1k+ | Output is not escaped | ||
| #2215 | BabyLoveGrowth Integration | 35 | 2 | 10 | 1k+ | Direct Query | ||
| #2216 | Basic Google Maps Placemarks | 35 | 189 | 80 | 3k+ | Output is not escaped | ||
| #2217 | Before After Image Comparison Slider for WPBakery Page Builder | 35 | 58 | 59 | 1k+ | Output is not escaped | ||
| #2218 | belingoGeo | 35 | 136 | 133 | 1k+ | Output is not escaped | ||
| #2219 | Better Plugin Compatibility Control | 35 | 7 | 4 | 4k+ | trademarked term | ||
| #2220 | Better Recent Comments | 35 | 127 | 29 | 2k+ | Text Domain Mismatch | ||
| #2221 | Bicycles by falbar | 35 | 426 | 65 | 600 | Output is not escaped | ||
| #2222 | Lord of the Files: Enhanced Upload Security | 35 | 62 | 42 | 1k+ | Non-prefixed global variable | ||
| #2223 | Block Comment Spam Bots | 35 | 31 | 17 | 800 | Output is not escaped | ||
| #2224 | Gutenberg Block for WooCommerce Product Table | 35 | 14 | 4 | 3k+ | Hidden files included | ||
| #2225 | Block Manager | 35 | 33 | 26 | 4k+ | Text Domain Mismatch | ||
| #2226 | Block User Account | 35 | 280 | 143 | 1k+ | Unsafe printing function | ||
| #2227 | Blogsqode – Blog Layouts and News Post Design | 35 | 430 | 63 | 400 | Text Domain Mismatch | ||
| #2228 | BlossomThemes Toolkit | 35 | 347 | 52 | 30k+ | Output is not escaped | ||
| #2229 | Tooltipy (tooltips for WP) | 35 | 370 | 125 | 1k+ | Text Domain Mismatch | ||
| #2230 | Bootstrap for Contact Form 7 | 35 | 35 | 73 | 10k+ | Nonce verification recommended | ||
| #2231 | BORICA Payments by BORICA AD | 35 | 537 | 196 | 500 | Text Domain Mismatch | ||
| #2232 | BuddyPress Activity Filter | 35 | 25 | 66 | 400 | Nonce verification recommended | ||
| #2233 | Custom Order Status Manager for WooCommerce | 35 | 630 | 67 | 30k+ | Text Domain Mismatch | ||
| #2234 | Registration Options for BuddyPress | 35 | 47 | 132 | 1k+ | Non-prefixed function | ||
| #2235 | Brozzme DB Prefix & Tools Addons | 35 | 24 | 42 | 10k+ | Request data is not unslashed | ||
| #2236 | BSK Forms Blacklist | 35 | 831 | 550 | 1k+ | Output is not escaped | ||
| #2237 | BTCPay Server – Accept Bitcoin payments in WooCommerce | 35 | 48 | 86 | 1k+ | Missing nonce verification | ||
| #2238 | BugHerd | 35 | 8 | 2 | 3k+ | Output is not escaped | ||
| #2239 | Business Hours Indicator | 35 | 139 | 106 | 8k+ | Alternative PHP tag found | ||
| #2240 | Buying Buddy IDX CRM – Real Estate MLS Plugin | 35 | 71 | 240 | 500 | Request data is not unslashed | ||
| #2241 | C3 Cloudfront Cache Controller | 35 | 109 | 60 | 3k+ | Non Singular String Literal Domain | ||
| #2242 | Cache Enabler | 35 | 44 | 75 | 90k+ | Input is not sanitized | ||
| #2243 | Divi Carousel Lite – Responsive Carousel & Slider Modules for Divi Builder | 35 | 381 | 7 | 6k+ | Text Domain Mismatch | ||
| #2244 | Central Connect | 35 | 7 | 21 | 400 | Nonce verification recommended | ||
| #2245 | CF7 Spreadsheets | 35 | 100 | 62 | 400 | Text Domain Mismatch | ||
| #2246 | CF7 Submissions – Securely Store Contact Form 7 Data and Attachments, Reply to the Sender and more | 35 | 16 | 119 | 2k+ | Non-prefixed global variable | ||
| #2247 | Popup for CF7 with Sweet Alert | 35 | 26 | 12 | 2k+ | Text Domain Mismatch | ||
| #2248 | CF7 Views – Complete Entry Management for Contact Form 7 | 35 | 172 | 181 | 1k+ | Output is not escaped | ||
| #2249 | Change Quantity on Checkout for WooCommerce | 35 | 270 | 32 | 4k+ | wp function not compatible with requires wp | ||
| #2250 | CHP Ads Block Detector | 35 | 108 | 35 | 900 | Output is not escaped |