WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2251 | CiviCRM Admin Utilities | 35 | 19 | 87 | 1k+ | Non-prefixed hook name | ||
| #2252 | Cloudflare | 35 | 28 | 85 | 200k+ | Non-prefixed namespace | ||
| #2253 | Flexible SSL for CloudFlare | 35 | 9 | 6 | 100k+ | Output is not escaped | ||
| #2254 | CM E-Mail Blacklist – Simple email filtering for safer registration | 35 | 269 | 205 | 800 | Output is not escaped | ||
| #2255 | CompressX — AVIF & WebP Converter, Media Replacement | 35 | 26 | 423 | 40k+ | Missing nonce verification | ||
| #2256 | Conditional Menus | 35 | 92 | 28 | 60k+ | Text Domain Mismatch | ||
| #2257 | Conditional Widgets | 35 | 67 | 33 | 7k+ | Output is not escaped | ||
| #2258 | Constant Contact Forms | 35 | 41 | 89 | 20k+ | Missing nonce verification | ||
| #2259 | Content Mask | 35 | 50 | 350 | 1k+ | Non-prefixed global variable | ||
| #2260 | GDPR Cookie Consent Notice Box | 35 | 46 | 17 | 1k+ | Output is not escaped | ||
| #2261 | Cookie Information – Cookie Banner with Consent Mode v2 | 35 | 185 | 28 | 2k+ | Output is not escaped | ||
| #2262 | Cookie-Script.com | 35 | 6 | 7 | 10k+ | Non-prefixed class | ||
| #2263 | Cookies and Content Security Policy | 35 | 261 | 412 | 10k+ | Output is not escaped | ||
| #2264 | Core Framework | 35 | 70 | 62 | 10k+ | Text Domain Mismatch | ||
| #2265 | Counter live visitors for WooCommerce | 35 | 189 | 39 | 7k+ | Short PHP open tag found | ||
| #2266 | Create Block Theme | 35 | 43 | 5 | 20k+ | unlink unlink | ||
| #2267 | CrowdSec | 35 | 130 | 119 | 2k+ | Output is not escaped | ||
| #2268 | Cryptex | E-Mail Address Protection | 35 | 62 | 10 | 900 | Output is not escaped | ||
| #2269 | CubeWP Framework | 35 | 114 | 71 | 4k+ | wp function not compatible with requires wp | ||
| #2270 | Cue by AudioTheme.com | 35 | 28 | 150 | 6k+ | Non-prefixed hook name | ||
| #2271 | Currency Converter | 35 | 104 | 4 | 400 | Output is not escaped | ||
| #2272 | Custom 404 Pro | 35 | 50 | 27 | 7k+ | wp function not compatible with requires wp | ||
| #2273 | Custom CSS and JavaScript | 35 | 38 | 91 | 10k+ | Input is not sanitized | ||
| #2274 | Custom JavaScript Editor | 35 | 8 | 23 | 400 | Missing Version | ||
| #2275 | Custom Post Type Maker | 35 | 240 | 86 | 6k+ | Unsafe printing function | ||
| #2276 | Customizer Backup & Reset | 35 | 8 | 10 | 7k+ | Output is not escaped | ||
| #2277 | DarkLooks – Dark Mode Switcher For WordPress | 35 | 195 | 21 | 900 | Text Domain Mismatch | ||
| #2278 | Datafeedr Product Sets | 35 | 602 | 206 | 5k+ | Output is not escaped | ||
| #2279 | Deposits & Partial Payments for WooCommerce | 35 | 174 | 144 | 5k+ | Text Domain Mismatch | ||
| #2280 | Nexi Checkout | 35 | 45 | 308 | 3k+ | Dynamic hook name | ||
| #2281 | Dintero Checkout for WooCommerce Payment Methods | 35 | 58 | 48 | 600 | Text Domain Mismatch | ||
| #2282 | PiWeb Disable payment method / Partial payment for WooCommerce | 35 | 55 | 221 | 4k+ | Non-prefixed class | ||
| #2283 | Disable and Remove Google Fonts | GDPR & DSGVO friendly | 35 | 21 | 11 | 100k+ | Missing Translators Comment | ||
| #2284 | Disable XML-RPC-API | 35 | 444 | 52 | 100k+ | Text Domain Mismatch | ||
| #2285 | Disk Usage Sunburst | 35 | 30 | 34 | 9k+ | Output is not escaped | ||
| #2286 | Dokan Invoice | 35 | 9 | 3 | 500 | Missing Translators Comment | ||
| #2287 | Potent Donations for WooCommerce | 35 | 14 | 25 | 2k+ | Missing nonce verification | ||
| #2288 | Duplica – Duplicate Posts, Pages, Custom Posts or Users | 35 | 14 | 31 | 2k+ | Non-prefixed global variable | ||
| #2289 | DynamicTags | 35 | 116 | 16 | 2k+ | Text Domain Mismatch | ||
| #2290 | Easy Dash for LearnDash | 35 | 623 | 88 | 700 | Text Domain Mismatch | ||
| #2291 | Easy Noindex And Nofollow | 35 | 55 | 18 | 400 | Output is not escaped | ||
| #2292 | Easy Panorama | 35 | 120 | 10 | 500 | Non Singular String Literal Domain | ||
| #2293 | Easy Post Types and Fields | 35 | 138 | 135 | 1k+ | Text Domain Mismatch | ||
| #2294 | Product Bundle Builder for WooCommerce | 35 | 152 | 138 | 6k+ | Text Domain Mismatch | ||
| #2295 | Easy Social Icons | 35 | 182 | 158 | 20k+ | Output is not escaped | ||
| #2296 | Easy SwipeBox | 35 | 157 | 10 | 2k+ | Non Singular String Literal Domain | ||
| #2297 | Editorial Calendar | 35 | 127 | 160 | 20k+ | Output is not escaped | ||
| #2298 | Gutenberg Blocks Library & Toolkit – Editor Plus | 35 | 27 | 11 | 6k+ | Text Domain Mismatch | ||
| #2299 | Elements Hive for Breakdance | 35 | 76 | 25 | 1k+ | Output is not escaped | ||
| #2300 | Elfsight Blocks for Elementor — 80+ Widgets | 35 | 444 | 3 | 2k+ | Text Domain Mismatch |