WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2401 | Nooz | 35 | 287 | 108 | 500 | Text Domain Mismatch | ||
| #2402 | Meta pixel for WordPress | 35 | 90 | 40 | 400k+ | Exception output is not escaped | ||
| #2403 | One Page Express Companion | 35 | 132 | 65 | 10k+ | Output is not escaped | ||
| #2404 | ONet Regenerate Thumbnails | 35 | 190 | 64 | 1k+ | Text Domain Mismatch | ||
| #2405 | Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce | 35 | 117 | 144 | 2k+ | Output is not escaped | ||
| #2406 | OPcache Manager | 35 | 155 | 75 | 1k+ | Output is not escaped | ||
| #2407 | Order Delivery Date for WooCommerce | 35 | 2,075 | 73 | 10k+ | wp function not compatible with requires wp | ||
| #2408 | OT Flatsome Vertical Menu | 35 | 126 | 26 | 10k+ | Text Domain Mismatch | ||
| #2409 | OtFm Gutenberg Spoiler – (or FAQ) collapse block | 35 | 6 | 9 | 600 | trademarked term | ||
| #2410 | Page Optimize | 35 | 70 | 41 | 200k+ | Non Singular String Literal Domain | ||
| #2411 | Page Visits Counter – Lite | 35 | 28 | 35 | 5k+ | Output is not escaped | ||
| #2412 | Paybox WooCommerce Payment Gateway | 35 | 165 | 88 | 500 | Non Singular String Literal Domain | ||
| #2413 | Paytm Payment Gateway | 35 | 92 | 104 | 3k+ | Missing Arg Domain | ||
| #2414 | Paytrail for WooCommerce | 35 | 28 | 46 | 3k+ | Non-prefixed global variable | ||
| #2415 | Perfecty Push Notifications | 35 | 204 | 213 | 4k+ | SQL query is not prepared | ||
| #2416 | Permissions Editor for Ninja Forms | 35 | 29 | 6 | 1k+ | Output is not escaped | ||
| #2417 | Pie Calendar – Events Calendar Made Simple | 35 | 83 | 53 | 1k+ | Text Domain Mismatch | ||
| #2418 | Piwik PRO | 35 | 22 | 3 | 3k+ | Output is not escaped | ||
| #2419 | Pixeline's Email Protector | 35 | 77 | 5 | 800 | Unsafe printing function | ||
| #2420 | Planyo online reservation system | 35 | 64 | 90 | 400 | Output is not escaped | ||
| #2421 | Plausible Analytics | 35 | 244 | 61 | 10k+ | Exception output is not escaped | ||
| #2422 | Accept Cryptocurrencies with Plisio | 35 | 37 | 47 | 1k+ | Text Domain Mismatch | ||
| #2423 | Pochipp | 35 | 27 | 102 | 20k+ | Non-prefixed global variable | ||
| #2424 | Poptin – Email Marketing Automation, Newsletter & Exit Pop Ups, Email Popups | 35 | 168 | 29 | 20k+ | Output is not escaped | ||
| #2425 | Popular Posts | 35 | 166 | 71 | 900 | Unsafe printing function | ||
| #2426 | Popup with fancybox | 35 | 196 | 168 | 900 | Unsafe printing function | ||
| #2427 | Post Content Shortcodes | 35 | 205 | 56 | 2k+ | Output is not escaped | ||
| #2428 | Post Draft Preview | 35 | 49 | 69 | 700 | Text Domain Mismatch | ||
| #2429 | Post List Featured Image | 35 | 112 | 100 | 900 | Output is not escaped | ||
| #2430 | Post Meta Data Manager | 35 | 30 | 112 | 1k+ | Non-prefixed global variable | ||
| #2431 | Post Password Token | 35 | 132 | 38 | 600 | Text Domain Mismatch | ||
| #2432 | Posts Table with Search & Sort | 35 | 143 | 33 | 3k+ | Text Domain Mismatch | ||
| #2433 | PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) | 35 | 6 | 56 | 80k+ | Post Not In exclude | ||
| #2434 | Product Input Fields for WooCommerce | 35 | 18 | 84 | 4k+ | Non-prefixed function | ||
| #2435 | Min Max Step Quantity Limits Manager for WooCommerce | 35 | 67 | 158 | 3k+ | Non-prefixed global variable | ||
| #2436 | Ninjalytics: Sales Reports & Order Export for WooCommerce and EDD | 35 | 6 | 32 | 6k+ | Non-prefixed global variable | ||
| #2437 | Pronamic Client | 35 | 111 | 48 | 700 | Output is not escaped | ||
| #2438 | Publitio | 35 | 47 | 26 | 400 | curl curl setopt | ||
| #2439 | Push Notifications by LaraPush | 35 | 32 | 76 | 5k+ | Non-prefixed global variable | ||
| #2440 | Push7 | 35 | 45 | 17 | 700 | Short PHP open tag found | ||
| #2441 | QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | 35 | 225 | 110 | 8k+ | Non Singular String Literal Domain | ||
| #2442 | Quran multilanguage Text & Audio | 35 | 177 | 166 | 500 | Output is not escaped | ||
| #2443 | ReactPress – Create React App for WordPress | 35 | 26 | 43 | 3k+ | Request data is not unslashed | ||
| #2444 | Real Time Validation for Gravity Forms | 35 | 185 | 30 | 2k+ | Output is not escaped | ||
| #2445 | Really Simple Google Tag Manager (GTM) | 35 | 115 | 15 | 4k+ | Text Domain Mismatch | ||
| #2446 | Related Posts by Taxonomy | 35 | 131 | 97 | 10k+ | Output is not escaped | ||
| #2447 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output is not escaped | ||
| #2448 | Remove Admin Toolbar | 35 | 13 | 7 | 600 | Missing direct file access protection | ||
| #2449 | Remove Dashboard Access | 35 | 16 | 23 | 30k+ | wp function not compatible with requires wp | ||
| #2450 | ReOrder Posts within Categories | 35 | 39 | 207 | 7k+ | Non-prefixed global variable |