WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2651 | Multi Step for Contact Form 7 | 36 | 61 | 106 | 10k+ | Missing nonce verification | ||
| #2652 | Contact Form 7 Polylang Module | 36 | 32 | 45 | 5k+ | Output is not escaped | ||
| #2653 | CloudPayments Gateway for WooCommerce | 36 | 205 | 70 | 500 | Text Domain Mismatch | ||
| #2654 | CLP – Custom Login Page by NiteoThemes | 36 | 240 | 49 | 700 | Output is not escaped | ||
| #2655 | CM Header and Footer – Add custom scripts and styles to your header and footer with ease | 36 | 230 | 198 | 1k+ | Output is not escaped | ||
| #2656 | CMB2 | 36 | 148 | 19 | 300k+ | Output is not escaped | ||
| #2657 | Code Snippets | 36 | 34 | 203 | 1m+ | Nonce verification recommended | ||
| #2658 | ColorMeShop WordPress Plugin | 36 | 392 | 37 | 600 | Exception output is not escaped | ||
| #2659 | Coming Soon, Under Construction & Maintenance Mode By Dazzler | 36 | 173 | 132 | 6k+ | Text Domain Mismatch | ||
| #2660 | Conditional Payments for WooCommerce | 36 | 292 | 184 | 10k+ | Text Domain Mismatch | ||
| #2661 | Conditional Shipping for WooCommerce | 36 | 93 | 196 | 10k+ | Non-prefixed global variable | ||
| #2662 | Continuous Image Carousel With Lightbox | 36 | 255 | 129 | 1k+ | Output is not escaped | ||
| #2663 | CP Blocks | 36 | 46 | 38 | 1k+ | wp function not compatible with requires wp | ||
| #2664 | Crelly Slider | 36 | 421 | 185 | 10k+ | Unsafe printing function | ||
| #2665 | CSH Login | 36 | 126 | 41 | 500 | Output is not escaped | ||
| #2666 | Custom Database Applications by Caspio | 36 | 32 | 63 | 400 | Input is not sanitized | ||
| #2667 | Custom PHP Settings | 36 | 153 | 76 | 10k+ | Output is not escaped | ||
| #2668 | Custom Category Post Order | 36 | 80 | 83 | 500 | Text Domain Mismatch | ||
| #2669 | Dashboard Widgets Suite | 36 | 206 | 124 | 4k+ | Output is not escaped | ||
| #2670 | Depicter — Popup & Slider Builder | 36 | 130 | 121 | 80k+ | Exception output is not escaped | ||
| #2671 | DeveloPress Sticky Footer Bar | 36 | 165 | 49 | 400 | Output is not escaped | ||
| #2672 | Different Menu in Different Pages – Conditional Menu | 36 | 167 | 113 | 4k+ | Text Domain Mismatch | ||
| #2673 | Doneren met Mollie | 36 | 420 | 351 | 4k+ | SQL query is not prepared | ||
| #2674 | Drag and Drop Multiple File Upload for Contact Form 7 | 36 | 82 | 36 | 60k+ | wp function not compatible with requires wp | ||
| #2675 | Duitku Payment Gateway | 36 | 507 | 107 | 700 | Text Domain Mismatch | ||
| #2676 | Duplicate Post – duplicate pages, copy content, clone posts | 36 | 76 | 81 | 5k+ | wp function not compatible with requires wp | ||
| #2677 | Dynamic Copyright Year | 36 | 972 | 43 | 800 | Output is not escaped | ||
| #2678 | Dynamic Front-End Heartbeat Control | 36 | 217 | 111 | 1k+ | Text Domain Mismatch | ||
| #2679 | Dynamic Visibility for Elementor | 36 | 56 | 89 | 50k+ | Non-prefixed hook name | ||
| #2680 | Easy Support Videos – Embed videos in the admin | 36 | 160 | 95 | 500 | Output is not escaped | ||
| #2681 | Product Carousel Slider for Elementor | 36 | 148 | 63 | 1k+ | Text Domain Mismatch | ||
| #2682 | Email Before Download | 36 | 89 | 29 | 6k+ | Unsafe printing function | ||
| #2683 | Endora | 36 | 53 | 72 | 1k+ | Output is not escaped | ||
| #2684 | Enhanced Media Library | 36 | 361 | 117 | 60k+ | Unsafe printing function | ||
| #2685 | Enormail Sign Up Forms | 36 | 133 | 126 | 400 | Output is not escaped | ||
| #2686 | Envo's Templates & Widgets for Elementor and WooCommerce | 36 | 1,065 | 54 | 10k+ | Text Domain Mismatch | ||
| #2687 | Events Manager and WPML Compatibility | 36 | 101 | 177 | 1k+ | Direct Query | ||
| #2688 | Export Variable Products | 36 | 79 | 49 | 400 | Text Domain Mismatch | ||
| #2689 | Happy WooCommerce FAQs – Ultimate Product FAQ Plugin | 36 | 65 | 119 | 1k+ | Nonce verification recommended | ||
| #2690 | FreePay for WooCommerce | 36 | 114 | 102 | 400 | Output is not escaped | ||
| #2691 | Friendly Functions for Welcart | 36 | 311 | 83 | 1k+ | Non Singular String Literal Domain | ||
| #2692 | Genesis Sandbox Featured Content Widget | 36 | 229 | 24 | 1k+ | Text Domain Mismatch | ||
| #2693 | GetPaid > Wallet | 36 | 174 | 227 | 700 | Text Domain Mismatch | ||
| #2694 | Google SEO Pressor for Rich snippets | 36 | 51 | 160 | 400 | Missing nonce verification | ||
| #2695 | Google Webfont Optimizer | 36 | 45 | 49 | 700 | Output is not escaped | ||
| #2696 | Gutena Kit – Gutenberg Blocks and Templates | 36 | 39 | 87 | 1k+ | Nonce verification recommended | ||
| #2697 | Header Footer Code Manager | 36 | 81 | 180 | 600k+ | Non-prefixed global variable | ||
| #2698 | Optimize Social Share | 36 | 203 | 61 | 3k+ | Unsafe printing function | ||
| #2699 | HTML Forms – Simple WordPress Forms Plugin | 36 | 231 | 166 | 10k+ | Output is not escaped | ||
| #2700 | HTML5 Maps | 36 | 194 | 160 | 5k+ | Output is not escaped |