WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2701 | HTML5 Maps | 36 | 194 | 160 | 5k+ | Output is not escaped | ||
| #2702 | HTTP Requests Manager | 36 | 98 | 90 | 1k+ | Output is not escaped | ||
| #2703 | Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS | 36 | 68 | 33 | 6k+ | Output is not escaped | ||
| #2704 | If-So Geolocation | 36 | 50 | 57 | 1k+ | Non-prefixed global variable | ||
| #2705 | Insert Headers and Footers Code – HT Script | 36 | 391 | 34 | 7k+ | Text Domain Mismatch | ||
| #2706 | IntelliWidget Per Page Custom Menus and Dynamic Content | 36 | 586 | 162 | 600 | Output is not escaped | ||
| #2707 | Italy Cookie Choices (for EU Cookie Law & Cookie Notice) | 36 | 115 | 77 | 10k+ | Unsafe printing function | ||
| #2708 | Just TinyMCE Custom Styles | 36 | 112 | 28 | 1k+ | Missing Arg Domain | ||
| #2709 | Lara's Google Analytics (GA4) | 36 | 303 | 57 | 9k+ | Unsafe printing function | ||
| #2710 | Leartes TRY Exchange Rates | 36 | 250 | 27 | 500 | Text Domain Mismatch | ||
| #2711 | Legal Text Connector of the IT-Recht Kanzlei | 36 | 45 | 46 | 10k+ | Exception output is not escaped | ||
| #2712 | Libro de Reclamaciones y Quejas | 36 | 266 | 124 | 4k+ | Text Domain Mismatch | ||
| #2713 | Linkable Title Html and Php Widget | 36 | 108 | 31 | 600 | Output is not escaped | ||
| #2714 | Login as User | 36 | 101 | 64 | 30k+ | Output is not escaped | ||
| #2715 | LocalWeb All In One | 36 | 34 | 297 | 5k+ | Non-prefixed global variable | ||
| #2716 | MailMunch – Grow your Email List | 36 | 102 | 49 | 6k+ | Output is not escaped | ||
| #2717 | Manage Notification E-mails | 36 | 129 | 98 | 100k+ | Non-prefixed function | ||
| #2718 | Materialis Companion | 36 | 129 | 67 | 6k+ | Unsafe printing function | ||
| #2719 | Media Deduper | 36 | 60 | 99 | 9k+ | Missing Arg Domain | ||
| #2720 | Microsoft Clarity | 36 | 48 | 163 | 200k+ | Nonce verification recommended | ||
| #2721 | Mobile Menu Builder for WordPress | 36 | 81 | 33 | 600 | Output is not escaped | ||
| #2722 | Motors VIN Decoder | 36 | 87 | 88 | 400 | Output is not escaped | ||
| #2723 | 코드엠샵 마이사이트 – MSHOP MY SITE | 36 | 58 | 55 | 800 | Output is not escaped | ||
| #2724 | Multiple Sidebars | 36 | 109 | 75 | 600 | Non Singular String Literal Domain | ||
| #2725 | WP Sticky Sidebar – Floating Sidebar On Scroll for Any Theme | 36 | 93 | 84 | 10k+ | Non-prefixed global variable | ||
| #2726 | News Manager | 36 | 134 | 57 | 600 | Output is not escaped | ||
| #2727 | News Ticker for Elementor | 36 | 76 | 57 | 2k+ | Text Domain Mismatch | ||
| #2728 | NextGEN Custom Fields | 36 | 215 | 131 | 1k+ | SQL query is not prepared | ||
| #2729 | MailerLite – Signup forms (official) | 36 | 430 | 158 | 100k+ | Output is not escaped | ||
| #2730 | We’re Open! | 36 | 273 | 187 | 5k+ | Unsafe printing function | ||
| #2731 | Order Status History for WooCommerce | 36 | 210 | 171 | 1k+ | Output is not escaped | ||
| #2732 | Ovation Elements | 36 | 23 | 399 | 10k+ | Non-prefixed global variable | ||
| #2733 | Ozh' Admin Drop Down Menu | 36 | 125 | 43 | 3k+ | Output is not escaped | ||
| #2734 | PayPal Currency Converter BASIC for WooCommerce | 36 | 348 | 20 | 400 | Output is not escaped | ||
| #2735 | PayTR Sanal POS WooCommerce – iFrame API | 36 | 117 | 54 | 10k+ | Output is not escaped | ||
| #2736 | PDF Forms Filler for CF7 | 36 | 185 | 79 | 3k+ | Text Domain Mismatch | ||
| #2737 | PDF Forms Filler for WPForms | 36 | 161 | 54 | 600 | Text Domain Mismatch | ||
| #2738 | Peter’s Post Notes | 36 | 224 | 102 | 3k+ | Output is not escaped | ||
| #2739 | Photoswipe Masonry Gallery | 36 | 57 | 47 | 6k+ | Non Singular String Literal Text | ||
| #2740 | Plugins Garbage Collector (Database Cleanup) | 36 | 32 | 51 | 10k+ | Missing nonce verification | ||
| #2741 | Post Views Stats Counter | 36 | 142 | 241 | 700 | Non-prefixed global variable | ||
| #2742 | ActiveCampaign Postmark for WordPress | 36 | 47 | 75 | 50k+ | Text Domain Mismatch | ||
| #2743 | WowStore – Store Builder & Product Blocks for WooCommerce | 36 | 56 | 437 | 4k+ | Non-prefixed global variable | ||
| #2744 | افزونه رسمی ترب | 36 | 42 | 86 | 30k+ | Exception output is not escaped | ||
| #2745 | Qubely – Advanced Gutenberg Blocks | 36 | 39 | 78 | 8k+ | Request data is not unslashed | ||
| #2746 | Quick 301 Redirects | 36 | 89 | 120 | 5k+ | Non-prefixed global variable | ||
| #2747 | Direct Checkout – Quick View – Buy Now For WooCommerce | 36 | 90 | 112 | 2k+ | Missing nonce verification | ||
| #2748 | Rara One Click Demo Import | 36 | 122 | 98 | 20k+ | Missing Translators Comment | ||
| #2749 | Recent Posts | 36 | 106 | 30 | 500 | Text Domain Mismatch | ||
| #2750 | Responsive Testimonials | 36 | 252 | 32 | 500 | Text Domain Mismatch |