WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3351BST DSGVO Cookie396175k+Unsafe printing function
#3352BuddyPress Default Cover Photo396239500Output is not escaped
#3353BuddyPress Notification Widget395431600Output is not escaped
#3354BugSnag Error Monitoring plugin3952962k+wp function not compatible with requires wp
#3355Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)39164710k+Request data is not unslashed
#3356Bulk NoIndex & NoFollow Toolkit39721722k+Nonce verification recommended
#3357Better WordPress External Links3913035400Non Singular String Literal Domain
#3358Cache Images3972271k+Unsafe printing function
#3359Calculator Builder – Create an Online Calculator39162211k+Non-prefixed global variable
#3360CatFolders Document Gallery & PDF Library3966323k+Output is not escaped
#3361Saitama Addon Pack39152271k+Output is not escaped
#3362Contact Form 7 extension for Google Map fields3911858500Missing Arg Domain
#3363Innozilla Skins for Contact Form 739152222k+Output is not escaped
#3364Configurable Tag Cloud (CTC)391261212k+Output is not escaped
#3365Constant Contact + WooCommerce3927911k+Nonce verification recommended
#3366Contact Form 7 – Dynamic Text Extension3910328100k+Output is not escaped
#3367Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR)39284580k+Missing nonce verification
#3368Content Visibility for Divi Builder39184592k+Non Singular String Literal Domain
#3369Cookies for Comments39222920k+Input is not validated
#3370Country & Phone Field Contact Form 7391173440k+Text Domain Mismatch
#3371Custom Metadata Manager398120700Output is not escaped
#3372Custom Post Order391432400Input is not sanitized
#3373Custom Post Type Auto Menu395433500Text Domain Mismatch
#3374Custom Post Type Parents397518900Output is not escaped
#3375Custom Related Posts39131343k+Output is not escaped
#3376Custom Thank You for WooCommerce3910757400Output is not escaped
#3377Dashboard Cleaner394091500Missing nonce verification
#3378Datalogics Ecommerce Delivery – Datalogics3913115500Nonce verification recommended
#3379Deliverability – pass DKIM, SPF, DMARC & more392171800Nonce verification recommended
#3380Drip for Gravity Forms394121500Unsafe printing function
#3381Dublin Core Metadata Generator397415900Output is not escaped
#3382Duplicate Killer – Prevent Duplicate Form Submissions39571031k+Non-prefixed global variable
#3383WeShareAI – AI-Powered Share Buttons (formerly E-MAILiT)3916524700Unsafe printing function
#3384Easy PayPal Events & Tickets39285501k+Request data is not unslashed
#3385Editor Menu and Widget Access3981247k+Output is not escaped
#3386Caldera Forms styler for Elementor Page Builder3917312700Text Domain Mismatch
#3387ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor39733481m+Non-prefixed global variable
#3388Email Marketing by EmailOctopus3943623k+Non-prefixed global variable
#3389Enhanced Admin Bar with Codex Search396431k+Missing Arg Domain
#3390Events Manager – Zoom Integration3914143700Output is not escaped
#3391BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress394802264k+Text Domain Mismatch
#3392FaniMani.pl3910311600Output is not escaped
#3393Faster Image Insert3994262k+Output is not escaped
#3394Favorites3918712310k+Unsafe printing function
#3395First Order Discount Woocommerce3955301k+Output is not escaped
#3396Fix Duplicates397673800Output is not escaped
#3397Flamix: Bitrix24 and WooCommerce Orders integration398131500Output is not escaped
#3398Flex Import3915132500Non-prefixed global variable
#3399Floating Action Button39164691k+Unsafe printing function
#3400Gallery Widget3912211500Output is not escaped