WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2851avalex – Automatisch sichere Rechtstexte3725851k+Direct Query
#2852Avatar Privacy3782361k+Missing direct file access protection
#2853Random Posts and Pages Widget37322151k+Output is not escaped
#2854AZAN Plugin374430500Output is not escaped
#2855Banhammer – Monitor Site Traffic, Block Bad Users and Bots371041741k+Output is not escaped
#2856Custom Thank You Page Customize For WooCommerce by Binary Carpenter3745802k+error log error log
#2857Bellows Accordion Menu371602810k+Text Domain Mismatch
#2858Better Click To Share – Shareable Quote Boxes for X (Twitter)37170596k+Unsafe printing function
#2859Blimply3717243800Text Domain Mismatch
#2860Blog News Addons For Elementor (News, Magazine and Blog Addons)3723296400Non-prefixed global variable
#2861Customize WordPress Emails and Alerts – Better Notifications for WP37644730k+Missing Arg Domain
#2862Booster Extension37282897k+Non-prefixed global variable
#2863BuddyPress Members Only37184801k+Text Domain Mismatch
#2864bunny.net – WordPress CDN Plugin3716515910k+Output is not escaped
#2865Contact Zalo Report SW374439900Missing Arg Domain
#2866Delivery Date Time & Pickup for WooCommerce37148216400Output is not escaped
#2867Carousel Upsells and Related Product for Woocommerce37173351k+Output is not escaped
#2868Catalog Booster & Product Catalog Mode for WooCommerce371061681k+Non-prefixed function
#2869Checkout for PayPal3713467600Unsafe printing function
#2870Clearpay Gateway for WooCommerce37185631k+Text Domain Mismatch
#2871ClickCease Click Fraud Protection37305810k+Non-prefixed class
#2872ClickRank – Ai SEO Automation37102261k+Direct Query
#2873CodePeople Post Map for Google Maps37257313k+Unsafe printing function
#2874Coming Soon & Maintenance Mode by Colorlib371001366k+Non-prefixed global variable
#2875Lightweight Subscribe To Comments37105701k+Unsafe printing function
#2876Constant Contact Forms by MailMunch37147532k+wp function not compatible with requires wp
#2877CookieAdmin – Cookie Consent Banner374386400k+Nonce verification recommended
#2878CorvusPay WooCommerce Payment Gateway37291411k+Missing nonce verification
#2879Crafty Social Buttons3727927900Non Singular String Literal Domain
#2880Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter3715161600Output is not escaped
#2881Simple Custom CSS and JS3716869600k+Output is not escaped
#2882Custom CSS Manager3755201k+Output is not escaped
#2883Custom Post Template37483010k+Output is not escaped
#2884Debug Log Viewer3726831k+Missing nonce verification
#2885Disclaimer Popup37313531k+Text Domain Mismatch
#2886Donation Block For PayPal3723106600Input is not validated
#2887DSGVO/GDPR Cookies, DSE, Impressum & Google Fonts Proxy3739125700Text Domain Mismatch
#2888Duo Two-Factor Authentication3744613k+Missing nonce verification
#2889Easy Photo Album37360431k+Text Domain Mismatch
#2890Pricing Table WordPress Plugin – Easy Pricing Tables3733216110k+Output is not escaped
#2891Easy Profile Widget3715720400Output is not escaped
#2892EasyMe Connect3713045500Text Domain Mismatch
#2893Eazy CF Captcha379354500Text Domain Mismatch
#2894WP eBay Product Feeds3713631700Output is not escaped
#2895Encyclopedia / Glossary / Wiki37263481k+Output is not escaped
#2896Excerpt Editor37170142500Unsafe printing function
#2897Exploit Scanner37251308k+Non-prefixed global variable
#2898Facturare WooCommerce371581063k+Text Domain Mismatch
#2899Furgonetka.pl: Przesyłki & Narzędzia e-commerce3766487k+Exception output is not escaped
#2900Get Custom Field Values3740441k+Output is not escaped