WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2551Custom Payment Gateways for WooCommerce35202313k+Non Singular String Literal Domain
#2552Backend Payments for WooCommerce356342900Exception output is not escaped
#2553Save and Share Cart for WooCommerce3512551600Text Domain Mismatch
#2554DPD Baltic Shipping35912022k+Text Domain Mismatch
#2555Title Limit for WooCommerce3541124k+Output is not escaped
#2556Abandoned Cart Lite for WooCommerce358416120k+Non-prefixed global variable
#2557Checkout Terms Conditions Popup for WooCommerce3576301k+Output is not escaped
#2558Conversion Tracking for WooCommerce35746120k+Output is not escaped
#2559Custom Payment Gateway for WooCommerce3511128k+Missing nonce verification
#2560Payment Gateway for PayPal Pro & PayPal Checkout for WooCommerce35671471k+Request data is not unslashed
#2561Invoices for WooCommerce355516810k+Non-prefixed global variable
#2562Product Tabs for WooCommerce3519610010k+Text Domain Mismatch
#2563Brevo for WooCommerce351166730k+Output is not escaped
#2564Kybernaut IČO DIČ3579682k+Missing nonce verification
#2565Wooplatnica352724400Non-prefixed class
#2566BulkGate SMS Plugin for WooCommerce3533321k+Output is not escaped
#2567Easy Accept Payments via PayPal353221287k+Text Domain Mismatch
#2568WP Associate Post R235259863k+Output is not escaped
#2569WP Cassify35106143700Missing nonce verification
#2570Category Dropdown by GCS Design3593521k+Output is not escaped
#2571WP Change Email Sender3551310k+Non-prefixed namespace
#2572WP Compiler3533201k+Output is not escaped
#2573WP-Cron Status Checker352401115k+Text Domain Mismatch
#2574Custom Body Class353910110k+Non-prefixed global variable
#2575WP Datepicker352251817k+Output is not escaped
#2576Database Backup for WordPress351288870k+Output is not escaped
#2577WP Duplicate Page35445060k+Text Domain Mismatch
#2578WP Flexslider35157600Unsafe printing function
#2579WP Geo3518084900Output is not escaped
#2580Auto Publish for Google My Business3521619210k+Input is not validated
#2581WP Hydra3510181k+Input is not sanitized
#2582WP-KaTeX35148800Missing direct file access protection
#2583WP-LESS3516810k+Missing direct file access protection
#2584Mail logging – WP Mail Catcher3523215720k+Text Domain Mismatch
#2585WP Mailto Links – Protect Email Addresses3595698k+Output is not escaped
#2586WP-Markdown353139400Output is not escaped
#2587WP Instant Feeds3519126k+Output is not escaped
#2588WP-PageNavi358495500k+Non Singular String Literal Domain
#2589WP-Paginate35375520k+Input is not validated
#2590WP-Persian35144377k+Unsafe printing function
#2591WP PGP Encrypted Emails356339400Output is not escaped
#2592WP Post Nav3573242400Non-prefixed global variable
#2593WP-PostViews3513264100k+Unsafe printing function
#2594WP-Print35110528k+Unsafe printing function
#2595WP All Import – Property Import for WP Residence354132700Output is not escaped
#2596video carousel slider with lightbox353501361k+Output is not escaped
#2597WP Site Verification tool3534371k+Non-prefixed global variable
#2598WP Spam Question Filter3563302k+Output is not escaped
#2599Subresource Integrity (SRI) Manager352694900Request data is not unslashed
#2600WP System Information3523730700Text Domain Mismatch