WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2201Air WP Sync – Airtable to WordPress3537451k+Non-prefixed hook name
#2202Akismet Anti-spam: Spam Protection3533995m+Non-prefixed global variable
#2203AMIMOTO Plugin Dashboard358282900Non Singular String Literal Domain
#2204Amministrazione Trasparente3580461k+Output is not escaped
#2205AnsPress – Question and answer35227783k+Non-prefixed function
#2206Tuskcode Map Pro for Bing Maps3559359600Direct Query
#2207AppMySite – WordPress & WooCommerce Mobile App Builder (No-Code Android & iOS App Maker)35165377k+Missing Arg Domain
#2208Aquila Admin Theme351513293k+Non-prefixed global variable
#2209Author Box WP Lens3516949900Unsafe printing function
#2210Authors Widget35170191k+Output is not escaped
#2211Autocomplete For Relevanssi35309900Unsafe printing function
#2212Avif Express3526167400Input is not validated
#2213Awin – Advertiser Tracking for WooCommerce3546391k+Non Singular String Literal Domain
#2214AXP Cyrillic to Latin352131k+Output is not escaped
#2215BabyLoveGrowth Integration352101k+Direct Query
#2216Basic Google Maps Placemarks35189803k+Output is not escaped
#2217Before After Image Comparison Slider for WPBakery Page Builder3558591k+Output is not escaped
#2218belingoGeo351361331k+Output is not escaped
#2219Better Plugin Compatibility Control35744k+trademarked term
#2220Better Recent Comments35127292k+Text Domain Mismatch
#2221Bicycles by falbar3542665600Output is not escaped
#2222Lord of the Files: Enhanced Upload Security3562421k+Non-prefixed global variable
#2223Block Comment Spam Bots353117800Output is not escaped
#2224Gutenberg Block for WooCommerce Product Table351443k+Hidden files included
#2225Block Manager3533264k+Text Domain Mismatch
#2226Block User Account352801431k+Unsafe printing function
#2227Blogsqode – Blog Layouts and News Post Design3543063400Text Domain Mismatch
#2228BlossomThemes Toolkit353475230k+Output is not escaped
#2229Tooltipy (tooltips for WP)353701251k+Text Domain Mismatch
#2230Bootstrap for Contact Form 735357310k+Nonce verification recommended
#2231BORICA Payments by BORICA AD35537196500Text Domain Mismatch
#2232BuddyPress Activity Filter352566400Nonce verification recommended
#2233Custom Order Status Manager for WooCommerce356306730k+Text Domain Mismatch
#2234Registration Options for BuddyPress35471321k+Non-prefixed function
#2235Brozzme DB Prefix & Tools Addons35244210k+Request data is not unslashed
#2236BSK Forms Blacklist358315501k+Output is not escaped
#2237BTCPay Server – Accept Bitcoin payments in WooCommerce3548861k+Missing nonce verification
#2238BugHerd35823k+Output is not escaped
#2239Business Hours Indicator351391068k+Alternative PHP tag found
#2240Buying Buddy IDX CRM – Real Estate MLS Plugin3571240500Request data is not unslashed
#2241C3 Cloudfront Cache Controller35109603k+Non Singular String Literal Domain
#2242Cache Enabler35447590k+Input is not sanitized
#2243Divi Carousel Lite – Responsive Carousel & Slider Modules for Divi Builder3538176k+Text Domain Mismatch
#2244Central Connect35721400Nonce verification recommended
#2245CF7 Spreadsheets3510062400Text Domain Mismatch
#2246CF7 Submissions – Securely Store Contact Form 7 Data and Attachments, Reply to the Sender and more35161192k+Non-prefixed global variable
#2247Popup for CF7 with Sweet Alert3526122k+Text Domain Mismatch
#2248CF7 Views – Complete Entry Management for Contact Form 7351721811k+Output is not escaped
#2249Change Quantity on Checkout for WooCommerce35270324k+wp function not compatible with requires wp
#2250CHP Ads Block Detector3510835900Output is not escaped