WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3201qTranslate X Cleanup and WPML Import38167102800Text Domain Mismatch
#3202Quick Download Button38341232k+Non-prefixed global variable
#3203RDP Wiki Embed386926400Output is not escaped
#3204Recent Posts Plus3811141k+Output is not escaped
#3205Remove WordPress Overhead3864471k+Text Domain Mismatch
#3206Logo Carousel – Display Brand or Client Logos in Slider3852442800Output is not escaped
#3207Responsive Mailform ( Plugin Version ) – easy, responsive, contact, mailform38120107500Output is not escaped
#3208Restrict Widgets38135404k+Non Singular String Literal Domain
#3209Like This3860171k+Output is not escaped
#3210RSS Feed Widget38207892k+Unsafe printing function
#3211Invoice1233813988400Text Domain Mismatch
#3212Schema App Structured Data3835867k+Nonce verification recommended
#3213SCSS WP Editor3811140900Exception output is not escaped
#3214Author Image3851331k+Output is not escaped
#3215Shapely Companion38493910k+Output is not escaped
#3216ShiftNav – Responsive Mobile Menu382493510k+Text Domain Mismatch
#3217Shutter Reloaded38194951k+Text Domain Mismatch
#3218Simple Expires383239500Non Singular String Literal Domain
#3219Simple Google Sitemap XML383882k+Output is not escaped
#3220Simple JWT Login – Allows you to use JWT on REST endpoints.38712954k+Output is not escaped
#3221Simple Keyword to Link3890493k+Non Singular String Literal Domain
#3222Simple LDAP Login3865331k+Output is not escaped
#3223Simple Visitor Counter384127700Output is not escaped
#3224SimpleShop3852511k+date date
#3225Slickstream: Engagement and Conversions38100192k+Output is not escaped
#3226Slickplan Importer384058400Non-prefixed global variable
#3227Smart Cookie Kit38263813k+Output is not escaped
#3228Smart Maintenance Mode381371281k+Output is not escaped
#3229Social Icons38728310k+Output is not escaped
#3230SOGO Accessibility38147405k+Non Singular String Literal Domain
#3231SRS Simple Hits Counter3843988k+Output is not escaped
#3232Standout CSS3 Buttons3818315500Output is not escaped
#3233Stock Market News387111500Output is not escaped
#3234Stock Market Overview3886141k+Output is not escaped
#3235Stock Market Ticker3869143k+Output is not escaped
#3236Stock Quotes List387213600Output is not escaped
#3237Subscriptions & Memberships for PayPal3873237900Request data is not unslashed
#3238Super Simple Slider3855551k+Non-prefixed global variable
#3239Swiper Js Slider3812535400Output is not escaped
#3240Tag Manager – Header, Body And Footer389731920k+Non-prefixed global variable
#3241Logo Slider , Logo Carousel , Logo showcase , Client Logo3872221k+Output is not escaped
#3242Templatiq383194900Non-prefixed hook name
#3243Product Compare for WooCommerce38551913k+Non-prefixed global variable
#3244Variation Swatches for WooCommerce3845652k+Output is not escaped
#3245Theme Blvd Widget Pack38240171k+Output is not escaped
#3246Broadcast38211071k+Direct Query
#3247Accessibility Tools & Alt Text Finder3836563k+Text Domain Mismatch
#3248TopList.cz381387400Output is not escaped
#3249Plugin Name: Traffic Stats Widget Plugin3869107600Output is not escaped
#3250Trash Duplicate and 301 Redirect38131031k+Nonce verification recommended