WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3251 | Trash Duplicate and 301 Redirect | 38 | 13 | 103 | 1k+ | Nonce verification recommended | ||
| #3252 | TRUENDO | GDPR Compliant Cookie Manager | 38 | 98 | 38 | 600 | Output is not escaped | ||
| #3253 | Sidebar Login Widget | 38 | 90 | 16 | 700 | Output is not escaped | ||
| #3254 | Twenty Eleven Theme Extensions | 38 | 35 | 30 | 3k+ | Output is not escaped | ||
| #3255 | Twiget Twitter Widget | 38 | 147 | 36 | 500 | Output is not escaped | ||
| #3256 | Twitter for WordPress | 38 | 47 | 24 | 1k+ | Output is not escaped | ||
| #3257 | TypePad emoji for TinyMCE | 38 | 100 | 24 | 8k+ | Text Domain Mismatch | ||
| #3258 | Termly – GDPR/CCPA Cookie Consent Banner | 38 | 54 | 92 | 80k+ | Non-prefixed global variable | ||
| #3259 | Ultimate Member Widgets for Elementor – Login Form, Register Form & User Directory | 38 | 17 | 110 | 400 | Non-prefixed namespace | ||
| #3260 | Unconfirmed | 38 | 20 | 79 | 1k+ | Nonce verification recommended | ||
| #3261 | User Specific Content | 38 | 143 | 19 | 1k+ | Text Domain Mismatch | ||
| #3262 | VdoCipher: Secure Video Player and Hosting | 38 | 37 | 54 | 2k+ | Non-prefixed function | ||
| #3263 | Vertical News Scroller | 38 | 118 | 60 | 5k+ | Output is not escaped | ||
| #3264 | FancyTube – Video Gallery, Video Slider, and Playlist Slider for YouTube | 38 | 358 | 34 | 1k+ | Text Domain Mismatch | ||
| #3265 | Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend | 38 | 84 | 49 | 1k+ | Output is not escaped | ||
| #3266 | TWIPLA (Visitor Analytics IO) – Privacy-First Website Stats, Session Recordings, Heatmaps, Polls and Surveys | 38 | 71 | 49 | 900 | Output is not escaped | ||
| #3267 | Visual Admin Customizer | 38 | 20 | 51 | 500 | Input is not sanitized | ||
| #3268 | W2S – Migrate WooCommerce to Shopify | 38 | 33 | 132 | 1k+ | Non-prefixed global variable | ||
| #3269 | Chatbox Manager | 38 | 855 | 78 | 400 | Output is not escaped | ||
| #3270 | WC-AC Hook | 38 | 44 | 72 | 1k+ | Missing nonce verification | ||
| #3271 | Shipping Packages for WooCommerce – Dropship from multiple locations like AliExpress, eBay, Amazon, Etsy | 38 | 94 | 26 | 900 | Non Singular String Literal Domain | ||
| #3272 | SSLCommerz Payment Gateway | 38 | 21 | 132 | 2k+ | Non-prefixed global variable | ||
| #3273 | WDV About Me Widget | 38 | 150 | 8 | 900 | Output is not escaped | ||
| #3274 | Affiliate Sales in Google Analytics and other tools | 38 | 23 | 84 | 1k+ | Request data is not unslashed | ||
| #3275 | White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard | 38 | 205 | 31 | 10k+ | Output is not escaped | ||
| #3276 | WholesaleX – B2B & Wholesale Plugin for WooCommerce with Wholesale Prices | 38 | 33 | 181 | 2k+ | Non-prefixed global variable | ||
| #3277 | WishSuite – Wishlist for WooCommerce | 38 | 76 | 133 | 1k+ | Output is not escaped | ||
| #3278 | Products Coming Soon for WooCommerce | 38 | 151 | 62 | 700 | Output is not escaped | ||
| #3279 | Show Stock Status for WooCommerce | 38 | 30 | 19 | 1k+ | Output is not escaped | ||
| #3280 | Vietnam Checkout for WooCommerce | 38 | 93 | 137 | 10k+ | Nonce verification recommended | ||
| #3281 | Wholesale for WooCommerce | 38 | 541 | 22 | 1k+ | Output is not escaped | ||
| #3282 | Connect WooCommerce Shop to ERP/CRM, Verifactu and EU/VAT Compliance | 38 | 23 | 104 | 1k+ | Direct Query | ||
| #3283 | WP Hebrew Date | 38 | 102 | 13 | 600 | Output is not escaped | ||
| #3284 | WP 404 Auto Redirect to Similar Post | 38 | 166 | 48 | 30k+ | Text Domain Mismatch | ||
| #3285 | WP Accessibility Helper (WAH) | 38 | 61 | 88 | 10k+ | Missing direct file access protection | ||
| #3286 | WP-Ban | 38 | 99 | 108 | 8k+ | Unsafe printing function | ||
| #3287 | WP-CommentNavi | 38 | 68 | 46 | 700 | Output is not escaped | ||
| #3288 | WP Content Copy Protection with Color Design | 38 | 96 | 61 | 5k+ | Non Singular String Literal Domain | ||
| #3289 | WP Discord Post Plus – Supports Unlimited Channels | 38 | 116 | 34 | 700 | Text Domain Mismatch | ||
| #3290 | WP-DraftsForFriends | 38 | 141 | 71 | 1k+ | Output is not escaped | ||
| #3291 | WP Mail SMTP SendGrid Edition | 38 | 102 | 19 | 500 | Text Domain Mismatch | ||
| #3292 | WP Mailgun SMTP | 38 | 99 | 51 | 900 | Text Domain Mismatch | ||
| #3293 | WP Maintenance Mode & Site Under Construction | 38 | 72 | 57 | 3k+ | Output is not escaped | ||
| #3294 | WP Media Categories | 38 | 40 | 103 | 800 | Nonce verification recommended | ||
| #3295 | mb.miniAudioPlayer – an HTML5 audio player for your mp3 files | 38 | 204 | 6 | 4k+ | Unsafe printing function | ||
| #3296 | Native PHP Sessions | 38 | 30 | 92 | 10k+ | Direct Query | ||
| #3297 | Real-Time Post Statistics for WordPress | 38 | 63 | 68 | 1k+ | SQL query is not prepared | ||
| #3298 | WP Redirects – Contact Form 7 | 38 | 50 | 71 | 400 | Unsafe printing function | ||
| #3299 | WP Safe Mode | 38 | 95 | 55 | 2k+ | Output is not escaped | ||
| #3300 | WP-ServerInfo | 38 | 162 | 55 | 10k+ | Output is not escaped |