WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2901Gmail SMTP37857110k+Unsafe printing function
#2902GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM3759269600Direct Query
#2903GoCache3727343900Non Singular String Literal Domain
#2904XML Sitemap Generator for Google3743791m+Input is not validated
#2905GoPay for WooCommerce37661031k+Non-prefixed global variable
#2906GS Portfolio for Envato37155754k+Text Domain Mismatch
#2907Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder378311320k+SQL query is not prepared
#2908HandL UTM Grabber / Tracker373114610k+Missing nonce verification
#2909Hash Elements37147925k+Output is not escaped
#2910Horizontal scrolling announcements372151408k+Output is not escaped
#2911HT Builder – WordPress Theme Builder for Elementor37142411k+Output is not escaped
#2912HT Menu – WordPress Mega Menu Builder for Elementor37302583k+Text Domain Mismatch
#2913.htaccess Site Access Control375467800Input is not sanitized
#2914Humans TXT3715986400Output is not escaped
#2915Image Optimizer by 10web – Image Optimizer and Compression plugin37244453k+Text Domain Mismatch
#2916Image Widget Deluxe3719011k+Output is not escaped
#2917Images Optimize and Upload CF73713036600Non Singular String Literal Domain
#2918Images to WebP3739509k+curl curl setopt
#2919Injection Guard3786451k+Unsafe printing function
#2920Job Manager & Career – Manage job board listings, and recruitments371122052k+Missing nonce verification
#2921JS Help Desk – AI-Powered Support & Ticketing System37174067k+Missing nonce verification
#2922JVM Rich Text Icons3787343k+Output is not escaped
#2923Language Switcher37811051k+Missing Translators Comment
#2924LearnPress – Course Review37674320k+Output is not escaped
#2925LH Archived Post Status37150643k+Text Domain Mismatch
#2926List category posts371611780k+Output is not escaped
#2927PiWeb Live sales notification for WooCommerce372897730k+Text Domain Mismatch
#2928LiveAgent – Omnichannel Help Desk & Live Chat Software37125142400Non Singular String Literal Domain
#2929LiveJournal Importer3786678k+Output is not escaped
#2930Local Time Clock37105111k+Output is not escaped
#2931Localendar Calendar for WordPress372416400Output is not escaped
#2932MailingBoss WP Plugin3710830600Output is not escaped
#2933Maintenance Page3762333k+Output is not escaped
#2934Max Mega Menu37249174300k+Output is not escaped
#2935Meks Video Importer37622392k+Input is not sanitized
#2936Metorik – Reports & Email Automation for WooCommerce37757010k+Output is not escaped
#2937CrawlWP SEO – Instant Search Engine Indexing & SEO Performance Monitor37479040k+Dynamic hook name
#2938Monobank WP Payment3778411k+Text Domain Mismatch
#2939My Post Order37100114400Output is not escaped
#2940Nearby Now Reviews and Audio Testimonials3766671k+wp function not compatible with requires wp
#2941news ticker benaceur371,097311k+Output is not escaped
#2942NextGEN Scroll Gallery3733281k+Output is not escaped
#2943Ninja Van (MY)37212581k+Non-prefixed global variable
#2944Off-Canvas Sidebars & Menus (Slidebars)37457121k+Non Singular String Literal Domain
#2945Optin Forms – Simple List Building Plugin for WordPress37647223k+Output is not escaped
#2946WP All Export – Order Export for WooCommerce371091114k+Text Domain Mismatch
#2947OSM – OpenStreetMap371306410k+Output is not escaped
#2948GoHero Store Customizer for WooCommerce377553600Unsafe printing function
#2949Phoenix Media Rename3718010450k+Output is not escaped
#2950Plexx Elementor Extension3758214400Text Domain Mismatch