WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2451 | WP Responsive Tabs horizontal vertical and accordion Tabs | 35 | 598 | 212 | 2k+ | Output is not escaped | ||
| #2452 | Restrict Elementor Widgets, Columns and Sections | 35 | 18 | 53 | 500 | Non-prefixed function | ||
| #2453 | Reveal IDs | 35 | 23 | 13 | 40k+ | Output is not escaped | ||
| #2454 | RICG Responsive Images | 35 | 29 | 25 | 2k+ | wp function not compatible with requires wp | ||
| #2455 | RichText Extension | 35 | 25 | 4 | 900 | Output is not escaped | ||
| #2456 | Robots.txt rewrite | 35 | 56 | 19 | 1k+ | Output is not escaped | ||
| #2457 | RPS Image Gallery | 35 | 88 | 16 | 700 | Output is not escaped | ||
| #2458 | sCode (Easy Shortcodes) | 35 | 157 | 97 | 400 | Text Domain Mismatch | ||
| #2459 | Scroll Styler | 35 | 52 | 21 | 900 | Output is not escaped | ||
| #2460 | Internal Links Manager | 35 | 188 | 121 | 10k+ | Output is not escaped | ||
| #2461 | SEO Slider | 35 | 242 | 17 | 1k+ | Text Domain Mismatch | ||
| #2462 | Shipping Zones by Drawing for WooCommerce | 35 | 278 | 95 | 600 | Text Domain Mismatch | ||
| #2463 | Shop Page WP | 35 | 68 | 23 | 2k+ | Unsafe printing function | ||
| #2464 | Shopkeeper Extender | 35 | 14 | 26 | 5k+ | Missing Version | ||
| #2465 | Product Feed for Google Shopping, Microsoft Advertising and 40+ Channels for WooCommerce Merchant | 35 | 83 | 76 | 2k+ | Output is not escaped | ||
| #2466 | SHOPVOTE | 35 | 64 | 58 | 400 | curl curl setopt | ||
| #2467 | Shortcake (Shortcode UI) | 35 | 9 | 39 | 10k+ | Request data is not unslashed | ||
| #2468 | Simple CAPTCHA with Cloudflare Turnstile | 35 | 82 | 148 | 100k+ | Output is not escaped | ||
| #2469 | Simple Export Import for ACF Data | 35 | 19 | 64 | 1k+ | Request data is not unslashed | ||
| #2470 | Simple Header Footer HTML | 35 | 30 | 5 | 3k+ | Output is not escaped | ||
| #2471 | Simple Image Sizes | 35 | 53 | 75 | 60k+ | Unsafe printing function | ||
| #2472 | Simple Map | 35 | 10 | 1 | 10k+ | Output is not escaped | ||
| #2473 | Simple Popup Block | 35 | 14 | 1 | 500 | Missing direct file access protection | ||
| #2474 | Simple Yearly Archive | 35 | 102 | 36 | 6k+ | Unsafe printing function | ||
| #2475 | Simple YouTube Responsive | 35 | 75 | 8 | 3k+ | wp function not compatible with requires wp | ||
| #2476 | Simple Analytics | 35 | 25 | 20 | 1k+ | Output is not escaped | ||
| #2477 | SimpleTOC – Table of Contents Block | 35 | 10 | 0 | 10k+ | Setting is missing a sanitization callback | ||
| #2478 | SiteGround Migrator | 35 | 113 | 74 | 80k+ | Missing Arg Domain | ||
| #2479 | Sitekit | 35 | 122 | 8 | 3k+ | Output is not escaped | ||
| #2480 | Sky Login Redirect | 35 | 7 | 24 | 2k+ | Non-prefixed hook name | ||
| #2481 | Slick Slider | 35 | 36 | 9 | 2k+ | Output is not escaped | ||
| #2482 | Slope Widgets | 35 | 5 | 49 | 500 | Non-prefixed global variable | ||
| #2483 | SiteOrigin CSS | 35 | 61 | 84 | 100k+ | Not In Footer | ||
| #2484 | WPZOOM Connect: Social Icons Widget, Share Buttons & Click to Chat | 35 | 28 | 31 | 90k+ | Input is not sanitized | ||
| #2485 | Quiz Maker, Poll Maker & Survey Maker by Opinion Stage | 35 | 42 | 32 | 6k+ | Output is not escaped | ||
| #2486 | Sold Out Badge for WooCommerce | 35 | 5 | 4 | 8k+ | Output is not escaped | ||
| #2487 | Solid Performance – Your No-Code Caching, Performance, & Page Speed Solution | 35 | 75 | 61 | 4k+ | Exception output is not escaped | ||
| #2488 | Spacious Toolkit | 35 | 48 | 94 | 700 | Non-prefixed global variable | ||
| #2489 | Speedy Page Redirect | 35 | 6 | 10 | 1k+ | Output is not escaped | ||
| #2490 | Spots | 35 | 195 | 49 | 800 | Output is not escaped | ||
| #2491 | Spreadshop Plugin | 35 | 145 | 44 | 4k+ | wp function not compatible with requires wp | ||
| #2492 | Square Thumbnails | 35 | 43 | 317 | 800 | error log error log | ||
| #2493 | SSL Insecure Content Fixer | 35 | 28 | 60 | 100k+ | Input is not sanitized | ||
| #2494 | Stars Testimonials — Responsive Reviews & Star Ratings | 35 | 29 | 253 | 1k+ | Non-prefixed global variable | ||
| #2495 | Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons | 35 | 33 | 293 | 10k+ | Non-prefixed global variable | ||
| #2496 | Sticky Social Link | 35 | 49 | 2 | 1k+ | Output is not escaped | ||
| #2497 | String locator | 35 | 52 | 319 | 100k+ | Non-prefixed global variable | ||
| #2498 | Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress | 35 | 106 | 145 | 500 | Non-prefixed global variable | ||
| #2499 | SumUp Payment Gateway For WooCommerce | 35 | 29 | 62 | 10k+ | Nonce verification recommended | ||
| #2500 | SweepPress: Website Cleanup and Optimization | 35 | 71 | 176 | 500 | Non-prefixed global variable |