WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3151 | Coding Chicken – JetEngine Importer | 38 | 55 | 29 | 400 | Missing direct file access protection | ||
| #3152 | Insert PHP Code Snippet | 38 | 164 | 227 | 90k+ | Output is not escaped | ||
| #3153 | 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery | 38 | 353 | 77 | 80k+ | Non Singular String Literal Domain | ||
| #3154 | JC Submenu | 38 | 279 | 32 | 4k+ | Output is not escaped | ||
| #3155 | Maintenance Redirect | 38 | 244 | 132 | 10k+ | Missing Arg Domain | ||
| #3156 | Jock On Air Now (JOAN) | 38 | 121 | 224 | 500 | Output is not escaped | ||
| #3157 | jQuery Pin It Button for Images | 38 | 129 | 36 | 10k+ | Output is not escaped | ||
| #3158 | Kali Forms — Contact Form & Drag-and-Drop Builder | 38 | 4 | 252 | 10k+ | Dynamic hook name | ||
| #3159 | Lana Downloads Manager | 38 | 146 | 78 | 3k+ | Unsafe printing function | ||
| #3160 | Lightning Advanced Unit | 38 | 189 | 27 | 3k+ | Output is not escaped | ||
| #3161 | Log Deprecated Notices | 38 | 92 | 73 | 900 | Text Domain Mismatch | ||
| #3162 | LuckyWP Scripts Control | 38 | 186 | 23 | 3k+ | Output is not escaped | ||
| #3163 | LWS Cleaner | 38 | 81 | 129 | 20k+ | Direct Query | ||
| #3164 | Magical Posts Display – Elementor Advanced Posts widgets | 38 | 115 | 46 | 3k+ | Output is not escaped | ||
| #3165 | Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin | 38 | 2 | 457 | 3k+ | Input is not sanitized | ||
| #3166 | Mega Elements – Addons for Elementor | 38 | 170 | 57 | 10k+ | Output is not escaped | ||
| #3167 | Auto SEO META keywords (META tags keywords) optimization + WooCommerce | 38 | 63 | 34 | 700 | Output is not escaped | ||
| #3168 | Migrate Store: Export and Import WooCommerce Settings | 38 | 37 | 33 | 1k+ | Non-prefixed global variable | ||
| #3169 | MimeTypes Link Icons | 38 | 53 | 34 | 8k+ | Output is not escaped | ||
| #3170 | Group chat for WordPress – Minnit Chat | 38 | 39 | 65 | 500 | Non-prefixed global variable | ||
| #3171 | MisterPlan – Booking Engines | 38 | 73 | 138 | 700 | Nonce verification recommended | ||
| #3172 | Monetag Official Plugin | 38 | 133 | 32 | 5k+ | Text Domain Mismatch | ||
| #3173 | Most And Least Read Posts Widget | 38 | 130 | 24 | 1k+ | Output is not escaped | ||
| #3174 | MultiLine Files for Contact Form 7 | 38 | 98 | 40 | 9k+ | Text Domain Mismatch | ||
| #3175 | Multiple Domain Mapping on Single Site | 38 | 135 | 51 | 6k+ | Text Domain Mismatch | ||
| #3176 | MX Time Zone Clocks | 38 | 219 | 41 | 1k+ | Output is not escaped | ||
| #3177 | Customize My Account for WooCommerce – Custom Tabs, Login, Registration, 2FA & Design | 38 | 78 | 172 | 800 | Non-prefixed global variable | ||
| #3178 | Name Directory | 38 | 520 | 309 | 2k+ | Output is not escaped | ||
| #3179 | Contact Form Widget | 38 | 54 | 107 | 1k+ | Request data is not unslashed | ||
| #3180 | Note – A live edit text widget | 38 | 118 | 49 | 1k+ | Output is not escaped | ||
| #3181 | One Click Demo Import | 38 | 22 | 84 | 1m+ | Non-prefixed global variable | ||
| #3182 | One Click Order Re-Order | 38 | 139 | 63 | 1k+ | Non Singular String Literal Domain | ||
| #3183 | OneSignal – Web Push Notifications | 38 | 53 | 64 | 70k+ | Output is not escaped | ||
| #3184 | Open Graphite | 38 | 380 | 204 | 3k+ | Unsafe printing function | ||
| #3185 | Ozh' Better Feed | 38 | 45 | 35 | 600 | Heredoc Output Not Escaped | ||
| #3186 | Page Links To | 38 | 31 | 40 | 100k+ | Unsafe printing function | ||
| #3187 | YAPE A1 Tiendas | 38 | 24 | 43 | 900 | Missing nonce verification | ||
| #3188 | PayTR Taksit Tablosu – WooCommerce | 38 | 67 | 39 | 3k+ | Non Singular String Literal Domain | ||
| #3189 | PDF Catalog for WooCommerce | 38 | 30 | 46 | 1k+ | Nonce verification recommended | ||
| #3190 | Podlove Subscribe button | 38 | 148 | 45 | 2k+ | Output is not escaped | ||
| #3191 | Polaroid Gallery | 38 | 105 | 20 | 1k+ | Unsafe printing function | ||
| #3192 | PopCash Code Integration Tool | 38 | 77 | 109 | 400 | Nonce verification recommended | ||
| #3193 | Popular Posts by Webline | 38 | 256 | 8 | 1k+ | Output is not escaped | ||
| #3194 | Popular Widget | 38 | 61 | 30 | 700 | Unsafe printing function | ||
| #3195 | Post Slider For WPBakery Page Builder | 38 | 201 | 14 | 1k+ | Output is not escaped | ||
| #3196 | Post views Stats | 38 | 37 | 51 | 1k+ | Non-prefixed global variable | ||
| #3197 | PostLinks | 38 | 107 | 10 | 700 | Output is not escaped | ||
| #3198 | qTranslate META | 38 | 88 | 26 | 400 | Output is not escaped | ||
| #3199 | qTranslate X Cleanup and WPML Import | 38 | 167 | 102 | 800 | Text Domain Mismatch | ||
| #3200 | Quick Download Button | 38 | 34 | 123 | 2k+ | Non-prefixed global variable |