WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2351 | ImageMagick Engine | 35 | 63 | 29 | 60k+ | Unsafe printing function | ||
| #2352 | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts | 35 | 64 | 91 | 60k+ | Output is not escaped | ||
| #2353 | Social Feed Gallery | 35 | 104 | 52 | 80k+ | Text Domain Mismatch | ||
| #2354 | Instant CSS | 35 | 25 | 25 | 3k+ | Output is not escaped | ||
| #2355 | Instapage Plugin | 35 | 220 | 45 | 4k+ | Output is not escaped | ||
| #2356 | IntenseDebate Comments | 35 | 203 | 114 | 500 | Output is not escaped | ||
| #2357 | ICIT Weather Widget | 35 | 358 | 8 | 400 | Output is not escaped | ||
| #2358 | IP Based Login | 35 | 179 | 146 | 600 | Output is not escaped | ||
| #2359 | iPages – FlipBook Image & PDF Viewer | 35 | 467 | 177 | 2k+ | Text Domain Mismatch | ||
| #2360 | Issuu PDF Sync | 35 | 159 | 28 | 900 | Text Domain Mismatch | ||
| #2361 | Japanese font for WordPress(Previously: Japanese Font for TinyMCE) | 35 | 11 | 37 | 10k+ | Non-prefixed global variable | ||
| #2362 | Jarvis | 35 | 10 | 19 | 500 | Input is not validated | ||
| #2363 | Static Site Exporter | 35 | 54 | 25 | 500 | file system operations mkdir | ||
| #2364 | JetStyleManager for Gutenberg | 35 | 20 | 64 | 20k+ | Nonce verification recommended | ||
| #2365 | Nobs • Share Buttons | 35 | 314 | 85 | 3k+ | Output is not escaped | ||
| #2366 | JWT Auth – WordPress JSON Web Token Authentication | 35 | 14 | 18 | 6k+ | Output is not escaped | ||
| #2367 | Kadence for WooCommerce and Elementor | 35 | 39 | 21 | 3k+ | Output is not escaped | ||
| #2368 | Kargo Takip | 35 | 84 | 142 | 3k+ | Missing nonce verification | ||
| #2369 | Kaya QR Code Generator | 35 | 193 | 40 | 20k+ | Non Singular String Literal Domain | ||
| #2370 | KBoard 위젯 – 워드프레스 게시판 | 35 | 53 | 32 | 3k+ | Output is not escaped | ||
| #2371 | Keyring | 35 | 233 | 203 | 1k+ | Output is not escaped | ||
| #2372 | Kiyoh customer review | 35 | 173 | 68 | 500 | Output is not escaped | ||
| #2373 | Kustom Checkout for WooCommerce | 35 | 101 | 505 | 10k+ | Dynamic hook name | ||
| #2374 | Lead Call Buttons | 35 | 113 | 81 | 5k+ | Output is not escaped | ||
| #2375 | Lead Form Builder & Contact Form | 35 | 400 | 345 | 9k+ | Output is not escaped | ||
| #2376 | Topic Progression Using Storyline/Captivate for LearnDash | 35 | 382 | 25 | 400 | Text Domain Mismatch | ||
| #2377 | Lenix scss compiler | 35 | 133 | 34 | 800 | Exception output is not escaped | ||
| #2378 | Less PHP Compiler | 35 | 163 | 47 | 3k+ | Exception output is not escaped | ||
| #2379 | Listamester | 35 | 17 | 16 | 600 | Output is not escaped | ||
| #2380 | Login-Logout | 35 | 104 | 8 | 3k+ | Output is not escaped | ||
| #2381 | Login Page Styler – Custom WordPress Login Page Customizer & Security | 35 | 125 | 168 | 2k+ | Missing Arg Domain | ||
| #2382 | Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) | 35 | 266 | 127 | 5k+ | Output is not escaped | ||
| #2383 | Mail Queue | 35 | 25 | 103 | 1k+ | Nonce verification recommended | ||
| #2384 | Mark Posts | 35 | 30 | 34 | 1k+ | Output is not escaped | ||
| #2385 | Marquee image crawler | 35 | 168 | 136 | 700 | Non-prefixed global variable | ||
| #2386 | Mechanic Visitor Counter | 35 | 240 | 66 | 7k+ | Output is not escaped | ||
| #2387 | Media Credit | 35 | 28 | 35 | 1k+ | Non-prefixed global variable | ||
| #2388 | Media Library Downloader | 35 | 21 | 16 | 4k+ | Output is not escaped | ||
| #2389 | Restaurant Menu – Food Ordering System – Table Reservation | 35 | 317 | 186 | 8k+ | Unsafe printing function | ||
| #2390 | Mighty Pros & Cons | 35 | 12 | 6 | 800 | Text Domain Mismatch | ||
| #2391 | Mini Ajax Cart for WooCommerce | 35 | 297 | 240 | 900 | Text Domain Mismatch | ||
| #2392 | Mini Cart for WooCommerce – Add a Stylish Sliding Cart | 35 | 42 | 160 | 600 | Non-prefixed global variable | ||
| #2393 | Modern Images WP | 35 | 10 | 3 | 400 | Missing Translators Comment | ||
| #2394 | More Widgets | 35 | 55 | 15 | 1k+ | Output is not escaped | ||
| #2395 | mosparo Integration | 35 | 114 | 301 | 900 | Missing nonce verification | ||
| #2396 | Movylo Marketing Automation | 35 | 38 | 88 | 700 | error log print r | ||
| #2397 | MotoPress Hotel Booking Styles & Templates | 35 | 37 | 19 | 10k+ | block api version too low | ||
| #2398 | Never Let Me Go | 35 | 34 | 47 | 400 | Non-prefixed global variable | ||
| #2399 | NGG Smart Image Search | 35 | 298 | 155 | 400 | Output is not escaped | ||
| #2400 | Nginx Cache Controller | 35 | 79 | 96 | 1k+ | Text Domain Mismatch |