WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3101Chatbot for WordPress by Collect.chat ⚡️3858366k+Unsafe printing function
#3102Colorlib 404 Customizer3865155k+Missing direct file access protection
#3103Country Code Selector3891201k+Unsafe printing function
#3104country-redirect385819400Text Domain Mismatch
#3105Crop-Thumbnails38332740k+Missing direct file access protection
#3106CRUDLab Disable Comments382054700Missing nonce verification
#3107One page checkout and layouts for woocommerce3883523k+Non-prefixed global variable
#3108Custom Menu Wizard Widget38326302k+Output is not escaped
#3109WP Page Templates389228400Non Singular String Literal Domain
#3110Custom post type templates for Elementor3828933700Text Domain Mismatch
#3111Customize Posts3831771k+Non-prefixed hook name
#3112Login Page Customizer – Customize Login Screen & Branding38361721k+Non-prefixed function
#3113Darkify – Dark Mode & Night Mode for Website & Admin (Dark Theme Included)3838183600Non-prefixed global variable
#3114Datafeedr Comparison Sets38450533k+Output is not escaped
#3115Datafeedr WooCommerce Importer38112565k+Text Domain Mismatch
#3116Availability Datepicker – Booking Calendar for Contact Form 7 – Input WP383443020k+Text Domain Mismatch
#3117Decent Comments3893282k+Output is not escaped
#3118Responsive Pricing Table3830910510k+Non Singular String Literal Domain
#3119Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster38371025k+Interpolated SQL is not prepared
#3120Easy WP Cleaner38581242k+Non-prefixed global variable
#3121Easy Yandex Metrica389748900Output is not escaped
#3122Elemailer Lite – Elementor email template & campaign builder3844505k+Output is not escaped
#3123Email Encoder – Protect Email Addresses and Phone Numbers38915090k+Non-prefixed global variable
#3124Erident Custom Login and Dashboard38122288k+Unsafe printing function
#3125EU Cookie Law Compliance38151222k+Non Singular String Literal Domain
#3126Export to Blogger3847117900Non-prefixed global variable
#3127Export User Data38187626k+Text Domain Mismatch
#3128Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds381678240k+Output is not escaped
#3129Social Photo Fetcher38151431k+Output is not escaped
#3130Social Shop for WooCommerce385124800Output is not escaped
#3131Responsive WordPress Slider – HG Slider3867757k+Missing nonce verification
#3132Flexy Breadcrumb382411320k+Output is not escaped
#3133Foyer – Digital Signage for WordPress381481911k+Non-prefixed global variable
#3134Front-end Editor387862500Output is not escaped
#3135Gecka Submenu38326363k+Output is not escaped
#3136GiveWP Donation Widgets for Elementor38483137k+Text Domain Mismatch
#3137Goal Tracker – Custom Event Tracking for GA438541252k+Output is not escaped
#3138GoDaddy Payments for WooCommerce3858652k+Output is not escaped
#3139GoodBarber3838731k+Nonce verification recommended
#3140GoUrl WooCommerce – Bitcoin Altcoin Payment Gateway Addon3827924600Non Singular String Literal Domain
#3141Great Caroussel3860131500SQL query is not prepared
#3142Greek Multi Tool – Greeklish Slugs, Permalinks & Transliteration38160821k+Unsafe printing function
#3143HashThemes Demo Importer3871446k+Output is not escaped
#3144CAOS | Host Google Analytics Locally381244410k+Output is not escaped
#3145WP Team – WordPress Team Member Plugin3853736500Text Domain Mismatch
#3146Icegram Mailer – Reliable Email Deliverability, No-code SMTP Replacement & Email logs38361062k+Non-prefixed global variable
#3147Illdy Companion38187236k+Output is not escaped
#3148ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More38208930k+Direct Query
#3149imoje38621602k+Nonce verification recommended
#3150Import to Photo Gallery from NextGen gallery388083400Direct Query