WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2801 | WP Better Permalinks | 36 | 110 | 59 | 1k+ | Output is not escaped | ||
| #2802 | WP-Cleanup | 36 | 79 | 29 | 400 | Output is not escaped | ||
| #2803 | Export Themes | 36 | 122 | 90 | 2k+ | Non-prefixed constant | ||
| #2804 | WP Coder – Insert & Manage Code Snippets | 36 | 53 | 280 | 10k+ | Nonce verification recommended | ||
| #2805 | WP Counter | 36 | 86 | 43 | 800 | Output is not escaped | ||
| #2806 | WP-EMail | 36 | 340 | 95 | 1k+ | Unsafe printing function | ||
| #2807 | WP Header Images | 36 | 174 | 133 | 6k+ | Unsafe printing function | ||
| #2808 | WP Hotel Booking WooCommerce | 36 | 93 | 99 | 1k+ | Output is not escaped | ||
| #2809 | WP LaTeX | 36 | 103 | 12 | 700 | Output is not escaped | ||
| #2810 | WP Mail | 36 | 202 | 201 | 500 | Output is not escaped | ||
| #2811 | Payment Button for PayPal | 36 | 155 | 86 | 4k+ | Unsafe printing function | ||
| #2812 | WP Publication Archive | 36 | 197 | 64 | 400 | Text Domain Mismatch | ||
| #2813 | WP Responsive Menu | 36 | 295 | 139 | 30k+ | Text Domain Mismatch | ||
| #2814 | WP Hardening (discontinued) | 36 | 230 | 85 | 10k+ | Text Domain Mismatch | ||
| #2815 | WP Show Posts | 36 | 107 | 102 | 70k+ | Output is not escaped | ||
| #2816 | WP Socializer – Simple & Easy Social Media Share Icons | 36 | 214 | 51 | 10k+ | Output is not escaped | ||
| #2817 | WP Sort Order | 36 | 134 | 211 | 6k+ | Direct Query | ||
| #2818 | WP Stripe Checkout | 36 | 198 | 118 | 1k+ | Unsafe printing function | ||
| #2819 | WP Super Edit | 36 | 35 | 185 | 2k+ | Nonce verification recommended | ||
| #2820 | Yandex.Metrica | 36 | 76 | 30 | 60k+ | Output is not escaped | ||
| #2821 | WPAvatar | 36 | 425 | 45 | 700 | Unsafe printing function | ||
| #2822 | WP fail2ban Blocklist | 36 | 61 | 63 | 3k+ | SQL query is not prepared | ||
| #2823 | WPLMS H5P | 36 | 111 | 106 | 1k+ | Text Domain Mismatch | ||
| #2824 | Wppao Sitemap | 36 | 128 | 21 | 9k+ | Output is not escaped | ||
| #2825 | wpShopGermany IT-RECHT KANZLEI | 36 | 37 | 47 | 500 | Input is not sanitized | ||
| #2826 | Database Snapshots – WPvivid | 36 | 66 | 108 | 1k+ | Direct Query | ||
| #2827 | Visual CSS Style Editor | 36 | 283 | 233 | 40k+ | Output is not escaped | ||
| #2828 | Custom Product Tabs for WooCommerce | 36 | 87 | 81 | 80k+ | Output is not escaped | ||
| #2829 | Zeno – AI-Powered Chatbot | 36 | 311 | 131 | 400 | Text Domain Mismatch | ||
| #2830 | 360 Javascript Viewer | 37 | 144 | 22 | 1k+ | Output is not escaped | ||
| #2831 | Redirectioner | 37 | 234 | 410 | 1k+ | Output is not escaped | ||
| #2832 | ACF: TablePress | 37 | 160 | 45 | 1k+ | Text Domain Mismatch | ||
| #2833 | Adapta RGPD | 37 | 349 | 72 | 40k+ | Text Domain Mismatch | ||
| #2834 | Adaptive Images for WordPress | 37 | 51 | 75 | 3k+ | Output is not escaped | ||
| #2835 | Add From Server | 37 | 52 | 20 | 60k+ | Output is not escaped | ||
| #2836 | AddToAny Share Buttons | 37 | 123 | 164 | 300k+ | Unsafe printing function | ||
| #2837 | Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs | 37 | 39 | 36 | 10k+ | Missing direct file access protection | ||
| #2838 | Advanced Custom Fields: NextGEN Gallery Field add-on | 37 | 131 | 20 | 400 | Output is not escaped | ||
| #2839 | PiWeb Advanced Flat rate / Conditional shipping for WooCommerce | 37 | 84 | 192 | 2k+ | wp function not compatible with requires wp | ||
| #2840 | Agreeable | 37 | 40 | 67 | 800 | Unsafe printing function | ||
| #2841 | AJAX Hits Counter + Popular Posts Widget | 37 | 247 | 44 | 900 | Output is not escaped | ||
| #2842 | Analytics Spam Blocker | 37 | 76 | 22 | 800 | Unsafe printing function | ||
| #2843 | Antom Payments | 37 | 62 | 73 | 800 | badly named files | ||
| #2844 | All-in-one Chat Button by anychat.one | 37 | 119 | 69 | 900 | Text Domain Mismatch | ||
| #2845 | Anything Popup | 37 | 164 | 185 | 2k+ | Non-prefixed global variable | ||
| #2846 | Apaczka: integracja z WooCommerce | 37 | 8 | 316 | 3k+ | Non-prefixed global variable | ||
| #2847 | Async JavaScript | 37 | 357 | 79 | 70k+ | Unsafe printing function | ||
| #2848 | Async JS and CSS | 37 | 90 | 1 | 700 | Text Domain Mismatch | ||
| #2849 | Login by Auth0 | 37 | 307 | 82 | 10k+ | Text Domain Mismatch | ||
| #2850 | authLdap | 37 | 46 | 30 | 4k+ | Exception output is not escaped |