WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2601 | WP-ViperGB | 35 | 127 | 68 | 400 | Output is not escaped | ||
| #2602 | Integration for WooCommerce and QuickBooks | 35 | 263 | 125 | 1k+ | Output is not escaped | ||
| #2603 | WP-Yomigana | 35 | 17 | 15 | 2k+ | Output is not escaped | ||
| #2604 | WPC Badge Management for WooCommerce | 35 | 13 | 81 | 2k+ | Missing nonce verification | ||
| #2605 | WPCore Plugin Manager | 35 | 118 | 38 | 9k+ | Text Domain Mismatch | ||
| #2606 | WPD Beaver Builder Additions | 35 | 406 | 35 | 600 | Non Singular String Literal Domain | ||
| #2607 | WP Views Counter | 35 | 81 | 42 | 2k+ | Output is not escaped | ||
| #2608 | WPFront User Role Editor | 35 | 333 | 578 | 30k+ | Output is not escaped | ||
| #2609 | WPGraphQL for ACF | 35 | 6 | 18 | 10k+ | Output is not escaped | ||
| #2610 | wpLingua – Automatic translation – Translate and make website multilingual | 35 | 79 | 167 | 2k+ | Nonce verification recommended | ||
| #2611 | WPPerformanceTester | 35 | 94 | 44 | 1k+ | Output is not escaped | ||
| #2612 | WPZOOM Addons for Elementor – Starter Templates & Widgets | 35 | 160 | 130 | 20k+ | Output is not escaped | ||
| #2613 | WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress | 35 | 74 | 109 | 10k+ | Nonce verification recommended | ||
| #2614 | WPZOOM Portfolio Lite – Filterable Portfolio Plugin | 35 | 42 | 92 | 20k+ | Non-prefixed global variable | ||
| #2615 | Writesonic | 35 | 14 | 16 | 1k+ | Non-prefixed global variable | ||
| #2616 | WSB HUB3 | 35 | 36 | 109 | 1k+ | Missing nonce verification | ||
| #2617 | xili-tidy-tags | 35 | 224 | 157 | 1k+ | Output is not escaped | ||
| #2618 | XServer Migrator | 35 | 39 | 53 | 10k+ | Interpolated SQL is not prepared | ||
| #2619 | TypeSquare Webfonts for エックスサーバー | 35 | 183 | 98 | 100k+ | Missing Arg Domain | ||
| #2620 | Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts | 35 | 48 | 114 | 5k+ | Non-prefixed hook name | ||
| #2621 | Yes/No Chart | 35 | 136 | 139 | 2k+ | Unsafe printing function | ||
| #2622 | YML for Yandex Market | 35 | 18 | 288 | 10k+ | Non-prefixed global variable | ||
| #2623 | Year Make Model Search for WooCommerce | 35 | 188 | 162 | 1k+ | Output is not escaped | ||
| #2624 | Embeds for YouTube | 35 | 255 | 307 | 10k+ | Non-prefixed global variable | ||
| #2625 | 2C2P Redirect API for WooCommerce | 36 | 136 | 62 | 900 | wp function not compatible with requires wp | ||
| #2626 | 3B Meteo | 36 | 50 | 76 | 1k+ | Output is not escaped | ||
| #2627 | Product Labels For Woocommerce (Sale Badges) | 36 | 90 | 48 | 10k+ | Output is not escaped | ||
| #2628 | Admin Customizer | 36 | 143 | 64 | 1k+ | Output is not escaped | ||
| #2629 | Advanced Export for WP & WPMU | 36 | 124 | 55 | 700 | Output is not escaped | ||
| #2630 | Age Verification for your checkout page. Verify your customer's identity | 36 | 155 | 238 | 500 | Output is not escaped | ||
| #2631 | Awesome GDPR Compliant Cookie Consent and Notice | 36 | 653 | 201 | 500 | Text Domain Mismatch | ||
| #2632 | Bard Extra | 36 | 158 | 76 | 700 | Text Domain Mismatch | ||
| #2633 | Black Widgets For Elementor | 36 | 2,608 | 19 | 800 | Text Domain Mismatch | ||
| #2634 | Blaze Demo Importer | 36 | 101 | 94 | 8k+ | Output is not escaped | ||
| #2635 | BlockStrap Page Builder – Bootstrap Blocks | 36 | 81 | 89 | 2k+ | Missing direct file access protection | ||
| #2636 | Blog, Posts and Category Filter for Elementor | 36 | 159 | 55 | 1k+ | Text Domain Mismatch | ||
| #2637 | BP Disable Activation Reloaded | 36 | 147 | 28 | 800 | Output is not escaped | ||
| #2638 | BP Profile Search | 36 | 321 | 85 | 5k+ | Output is not escaped | ||
| #2639 | bpost shipping | 36 | 97 | 43 | 700 | Output is not escaped | ||
| #2640 | Breadcrumb NavXT | 36 | 102 | 111 | 800k+ | Non Singular String Literal Domain | ||
| #2641 | BuddyMeet | 36 | 114 | 32 | 700 | Unsafe printing function | ||
| #2642 | Bulgarisation for WooCommerce | 36 | 136 | 603 | 5k+ | Nonce verification recommended | ||
| #2643 | Bulk Post Update Date | 36 | 96 | 66 | 10k+ | Unsafe printing function | ||
| #2644 | Bus Ticket Booking with Seat Reservation | 36 | 145 | 192 | 800 | Non-prefixed global variable | ||
| #2645 | Better WordPress Recent Comments | 36 | 319 | 69 | 600 | Text Domain Mismatch | ||
| #2646 | Carousel Ultimate | 36 | 450 | 284 | 700 | Text Domain Mismatch | ||
| #2647 | Carousel Horizontal Posts Content Slider | 36 | 271 | 59 | 2k+ | Text Domain Mismatch | ||
| #2648 | Cashflows for WooCommerce | 36 | 119 | 36 | 600 | Text Domain Mismatch | ||
| #2649 | Simple SEO | 36 | 164 | 113 | 10k+ | Non Singular String Literal Domain | ||
| #2650 | Contact Form 7 Gated Content | 36 | 122 | 36 | 800 | Short PHP open tag found |