WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3451Menubar39171461k+Output is not escaped
#3452Zen Feed393922400Output is not escaped
#3453Mizan Demo Importer3931681k+Missing Version
#3454Modal Dialog396464500Output is not escaped
#3455Movable Type and TypePad Importer39422520k+Output is not escaped
#3456Multilingual Contact Form 7 with Polylang3950309k+Text Domain Mismatch
#3457Social Proof Popups & Real-Time Notifications – Herd Effects3951811k+Non-prefixed global variable
#3458NextGEN Download Gallery3957212k+Short PHP open tag found
#3459Open Graph Pro3952131k+Output is not escaped
#3460SOGO Add Script to Individual Pages Header Footer39744020k+Output is not escaped
#3461OneSignal Sender3911250400Output is not escaped
#3462Page List Widget391506400Output is not escaped
#3463Pay by paynow.pl3951566k+Output is not escaped
#3464payever – WooCommerce Gateway39263131800Text Domain Mismatch
#3465Paystack Add-On for Gravity Forms399631400Text Domain Mismatch
#3466Designil PDPA Thailand39131363k+Output is not escaped
#3467PO/MO Editor39106451k+Unsafe printing function
#3468Posts By Tag39151301k+Output is not escaped
#3469Privilege Menu39215491k+Text Domain Mismatch
#3470Product Size Chart for Woocommerce3920169600Non-prefixed global variable
#3471Purge Varnish Cache391131511k+Non-prefixed global variable
#3472QR Redirector3948544k+Output is not escaped
#3473Quantcast Choice39227113k+Text Domain Mismatch
#3474Query Multiple Taxonomies395541500Output is not escaped
#3475Quform Mailchimp3965147800Nonce verification recommended
#3476Quform Zapier39601231k+Nonce verification recommended
#3477Simple Webchat391422041k+Output is not escaped
#3478Radio Buttons for Taxonomies39402420k+Output is not escaped
#3479Really Simple Gallery Widget3911490700Non-prefixed global variable
#3480Recent Posts with Excerpts391382700Output is not escaped
#3481Redirect 404 Error Page to Homepage or Custom Page with Logs39275310k+Nonce verification recommended
#3482Reorder by Term3920841k+Request data is not unslashed
#3483Responsify WP399011600Unsafe printing function
#3484REST API Helper3910885500Unsafe printing function
#3485RioVizual — Table Blocks for Comparison, Pricing and Pros & Cons3932751k+Nonce verification recommended
#3486Rollbar397514400Output is not escaped
#3487Royal Mail Shipping Calculator for WooCommerce3961311k+Text Domain Mismatch
#3488Scripts n Styles391509230k+Output is not escaped
#3489Easy Smooth Scroll Links39645600Output is not escaped
#3490SEO Auto Linker3990241k+Text Domain Mismatch
#3491SEO Friendly Images392922020k+Output is not escaped
#3492Taxonomy Thumbnail3927583k+Non-prefixed function
#3493Shipping by Rules for WooCommerce3913048500Output is not escaped
#3494Shipping Simulator for WooCommerce39120395k+Text Domain Mismatch
#3495Show All Comments3910892400Nonce verification recommended
#3496Simpaisa Wallet (Jazzcash & Easypaisa) Payment Services3967741k+Interpolated Variable Text
#3497Simple Membership WP user Import3922464k+Request data is not unslashed
#3498Simple Posts Ticker – Easy, Lightweight & Flexible39151282k+Output is not escaped
#3499Simple Staff List39902363k+Non-prefixed global variable
#3500SimpleModal Login395012700Unsafe printing function