WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3201 | qTranslate X Cleanup and WPML Import | 38 | 167 | 102 | 800 | Text Domain Mismatch | ||
| #3202 | Quick Download Button | 38 | 34 | 123 | 2k+ | Non-prefixed global variable | ||
| #3203 | RDP Wiki Embed | 38 | 69 | 26 | 400 | Output is not escaped | ||
| #3204 | Recent Posts Plus | 38 | 111 | 4 | 1k+ | Output is not escaped | ||
| #3205 | Remove WordPress Overhead | 38 | 64 | 47 | 1k+ | Text Domain Mismatch | ||
| #3206 | Logo Carousel – Display Brand or Client Logos in Slider | 38 | 524 | 42 | 800 | Output is not escaped | ||
| #3207 | Responsive Mailform ( Plugin Version ) – easy, responsive, contact, mailform | 38 | 120 | 107 | 500 | Output is not escaped | ||
| #3208 | Restrict Widgets | 38 | 135 | 40 | 4k+ | Non Singular String Literal Domain | ||
| #3209 | Like This | 38 | 60 | 17 | 1k+ | Output is not escaped | ||
| #3210 | RSS Feed Widget | 38 | 207 | 89 | 2k+ | Unsafe printing function | ||
| #3211 | Invoice123 | 38 | 139 | 88 | 400 | Text Domain Mismatch | ||
| #3212 | Schema App Structured Data | 38 | 35 | 86 | 7k+ | Nonce verification recommended | ||
| #3213 | SCSS WP Editor | 38 | 111 | 40 | 900 | Exception output is not escaped | ||
| #3214 | Author Image | 38 | 51 | 33 | 1k+ | Output is not escaped | ||
| #3215 | Shapely Companion | 38 | 49 | 39 | 10k+ | Output is not escaped | ||
| #3216 | ShiftNav – Responsive Mobile Menu | 38 | 249 | 35 | 10k+ | Text Domain Mismatch | ||
| #3217 | Shutter Reloaded | 38 | 194 | 95 | 1k+ | Text Domain Mismatch | ||
| #3218 | Simple Expires | 38 | 32 | 39 | 500 | Non Singular String Literal Domain | ||
| #3219 | Simple Google Sitemap XML | 38 | 38 | 8 | 2k+ | Output is not escaped | ||
| #3220 | Simple JWT Login – Allows you to use JWT on REST endpoints. | 38 | 712 | 95 | 4k+ | Output is not escaped | ||
| #3221 | Simple Keyword to Link | 38 | 90 | 49 | 3k+ | Non Singular String Literal Domain | ||
| #3222 | Simple LDAP Login | 38 | 65 | 33 | 1k+ | Output is not escaped | ||
| #3223 | Simple Visitor Counter | 38 | 41 | 27 | 700 | Output is not escaped | ||
| #3224 | SimpleShop | 38 | 52 | 51 | 1k+ | date date | ||
| #3225 | Slickstream: Engagement and Conversions | 38 | 100 | 19 | 2k+ | Output is not escaped | ||
| #3226 | Slickplan Importer | 38 | 40 | 58 | 400 | Non-prefixed global variable | ||
| #3227 | Smart Cookie Kit | 38 | 263 | 81 | 3k+ | Output is not escaped | ||
| #3228 | Smart Maintenance Mode | 38 | 137 | 128 | 1k+ | Output is not escaped | ||
| #3229 | Social Icons | 38 | 72 | 83 | 10k+ | Output is not escaped | ||
| #3230 | SOGO Accessibility | 38 | 147 | 40 | 5k+ | Non Singular String Literal Domain | ||
| #3231 | SRS Simple Hits Counter | 38 | 43 | 98 | 8k+ | Output is not escaped | ||
| #3232 | Standout CSS3 Buttons | 38 | 183 | 15 | 500 | Output is not escaped | ||
| #3233 | Stock Market News | 38 | 71 | 11 | 500 | Output is not escaped | ||
| #3234 | Stock Market Overview | 38 | 86 | 14 | 1k+ | Output is not escaped | ||
| #3235 | Stock Market Ticker | 38 | 69 | 14 | 3k+ | Output is not escaped | ||
| #3236 | Stock Quotes List | 38 | 72 | 13 | 600 | Output is not escaped | ||
| #3237 | Subscriptions & Memberships for PayPal | 38 | 73 | 237 | 900 | Request data is not unslashed | ||
| #3238 | Super Simple Slider | 38 | 55 | 55 | 1k+ | Non-prefixed global variable | ||
| #3239 | Swiper Js Slider | 38 | 125 | 35 | 400 | Output is not escaped | ||
| #3240 | Tag Manager – Header, Body And Footer | 38 | 97 | 319 | 20k+ | Non-prefixed global variable | ||
| #3241 | Logo Slider , Logo Carousel , Logo showcase , Client Logo | 38 | 72 | 22 | 1k+ | Output is not escaped | ||
| #3242 | Templatiq | 38 | 31 | 94 | 900 | Non-prefixed hook name | ||
| #3243 | Product Compare for WooCommerce | 38 | 55 | 191 | 3k+ | Non-prefixed global variable | ||
| #3244 | Variation Swatches for WooCommerce | 38 | 45 | 65 | 2k+ | Output is not escaped | ||
| #3245 | Theme Blvd Widget Pack | 38 | 240 | 17 | 1k+ | Output is not escaped | ||
| #3246 | Broadcast | 38 | 21 | 107 | 1k+ | Direct Query | ||
| #3247 | Accessibility Tools & Alt Text Finder | 38 | 36 | 56 | 3k+ | Text Domain Mismatch | ||
| #3248 | TopList.cz | 38 | 138 | 7 | 400 | Output is not escaped | ||
| #3249 | Plugin Name: Traffic Stats Widget Plugin | 38 | 69 | 107 | 600 | Output is not escaped | ||
| #3250 | Trash Duplicate and 301 Redirect | 38 | 13 | 103 | 1k+ | Nonce verification recommended |