WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2801WP Better Permalinks36110591k+Output is not escaped
#2802WP-Cleanup367929400Output is not escaped
#2803Export Themes36122902k+Non-prefixed constant
#2804WP Coder – Insert & Manage Code Snippets365328010k+Nonce verification recommended
#2805WP Counter368643800Output is not escaped
#2806WP-EMail36340951k+Unsafe printing function
#2807WP Header Images361741336k+Unsafe printing function
#2808WP Hotel Booking WooCommerce3693991k+Output is not escaped
#2809WP LaTeX3610312700Output is not escaped
#2810WP Mail36202201500Output is not escaped
#2811Payment Button for PayPal36155864k+Unsafe printing function
#2812WP Publication Archive3619764400Text Domain Mismatch
#2813WP Responsive Menu3629513930k+Text Domain Mismatch
#2814WP Hardening (discontinued)362308510k+Text Domain Mismatch
#2815WP Show Posts3610710270k+Output is not escaped
#2816WP Socializer – Simple & Easy Social Media Share Icons362145110k+Output is not escaped
#2817WP Sort Order361342116k+Direct Query
#2818WP Stripe Checkout361981181k+Unsafe printing function
#2819WP Super Edit36351852k+Nonce verification recommended
#2820Yandex.Metrica36763060k+Output is not escaped
#2821WPAvatar3642545700Unsafe printing function
#2822WP fail2ban Blocklist3661633k+SQL query is not prepared
#2823WPLMS H5P361111061k+Text Domain Mismatch
#2824Wppao Sitemap36128219k+Output is not escaped
#2825wpShopGermany IT-RECHT KANZLEI363747500Input is not sanitized
#2826Database Snapshots – WPvivid36661081k+Direct Query
#2827Visual CSS Style Editor3628323340k+Output is not escaped
#2828Custom Product Tabs for WooCommerce36878180k+Output is not escaped
#2829Zeno – AI-Powered Chatbot36311131400Text Domain Mismatch
#2830360 Javascript Viewer37144221k+Output is not escaped
#2831Redirectioner372344101k+Output is not escaped
#2832ACF: TablePress37160451k+Text Domain Mismatch
#2833Adapta RGPD373497240k+Text Domain Mismatch
#2834Adaptive Images for WordPress3751753k+Output is not escaped
#2835Add From Server37522060k+Output is not escaped
#2836AddToAny Share Buttons37123164300k+Unsafe printing function
#2837Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs37393610k+Missing direct file access protection
#2838Advanced Custom Fields: NextGEN Gallery Field add-on3713120400Output is not escaped
#2839PiWeb Advanced Flat rate / Conditional shipping for WooCommerce37841922k+wp function not compatible with requires wp
#2840Agreeable374067800Unsafe printing function
#2841AJAX Hits Counter + Popular Posts Widget3724744900Output is not escaped
#2842Analytics Spam Blocker377622800Unsafe printing function
#2843Antom Payments376273800badly named files
#2844All-in-one Chat Button by anychat.one3711969900Text Domain Mismatch
#2845Anything Popup371641852k+Non-prefixed global variable
#2846Apaczka: integracja z WooCommerce3783163k+Non-prefixed global variable
#2847Async JavaScript373577970k+Unsafe printing function
#2848Async JS and CSS37901700Text Domain Mismatch
#2849Login by Auth0373078210k+Text Domain Mismatch
#2850authLdap3746304k+Exception output is not escaped