WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3451 | Menubar | 39 | 171 | 46 | 1k+ | Output is not escaped | ||
| #3452 | Zen Feed | 39 | 39 | 22 | 400 | Output is not escaped | ||
| #3453 | Mizan Demo Importer | 39 | 31 | 68 | 1k+ | Missing Version | ||
| #3454 | Modal Dialog | 39 | 64 | 64 | 500 | Output is not escaped | ||
| #3455 | Movable Type and TypePad Importer | 39 | 42 | 25 | 20k+ | Output is not escaped | ||
| #3456 | Multilingual Contact Form 7 with Polylang | 39 | 50 | 30 | 9k+ | Text Domain Mismatch | ||
| #3457 | Social Proof Popups & Real-Time Notifications – Herd Effects | 39 | 5 | 181 | 1k+ | Non-prefixed global variable | ||
| #3458 | NextGEN Download Gallery | 39 | 57 | 21 | 2k+ | Short PHP open tag found | ||
| #3459 | Open Graph Pro | 39 | 52 | 13 | 1k+ | Output is not escaped | ||
| #3460 | SOGO Add Script to Individual Pages Header Footer | 39 | 74 | 40 | 20k+ | Output is not escaped | ||
| #3461 | OneSignal Sender | 39 | 112 | 50 | 400 | Output is not escaped | ||
| #3462 | Page List Widget | 39 | 150 | 6 | 400 | Output is not escaped | ||
| #3463 | Pay by paynow.pl | 39 | 51 | 56 | 6k+ | Output is not escaped | ||
| #3464 | payever – WooCommerce Gateway | 39 | 263 | 131 | 800 | Text Domain Mismatch | ||
| #3465 | Paystack Add-On for Gravity Forms | 39 | 96 | 31 | 400 | Text Domain Mismatch | ||
| #3466 | Designil PDPA Thailand | 39 | 131 | 36 | 3k+ | Output is not escaped | ||
| #3467 | PO/MO Editor | 39 | 106 | 45 | 1k+ | Unsafe printing function | ||
| #3468 | Posts By Tag | 39 | 151 | 30 | 1k+ | Output is not escaped | ||
| #3469 | Privilege Menu | 39 | 215 | 49 | 1k+ | Text Domain Mismatch | ||
| #3470 | Product Size Chart for Woocommerce | 39 | 20 | 169 | 600 | Non-prefixed global variable | ||
| #3471 | Purge Varnish Cache | 39 | 113 | 151 | 1k+ | Non-prefixed global variable | ||
| #3472 | QR Redirector | 39 | 48 | 54 | 4k+ | Output is not escaped | ||
| #3473 | Quantcast Choice | 39 | 227 | 11 | 3k+ | Text Domain Mismatch | ||
| #3474 | Query Multiple Taxonomies | 39 | 55 | 41 | 500 | Output is not escaped | ||
| #3475 | Quform Mailchimp | 39 | 65 | 147 | 800 | Nonce verification recommended | ||
| #3476 | Quform Zapier | 39 | 60 | 123 | 1k+ | Nonce verification recommended | ||
| #3477 | Simple Webchat | 39 | 142 | 204 | 1k+ | Output is not escaped | ||
| #3478 | Radio Buttons for Taxonomies | 39 | 40 | 24 | 20k+ | Output is not escaped | ||
| #3479 | Really Simple Gallery Widget | 39 | 114 | 90 | 700 | Non-prefixed global variable | ||
| #3480 | Recent Posts with Excerpts | 39 | 138 | 2 | 700 | Output is not escaped | ||
| #3481 | Redirect 404 Error Page to Homepage or Custom Page with Logs | 39 | 27 | 53 | 10k+ | Nonce verification recommended | ||
| #3482 | Reorder by Term | 39 | 20 | 84 | 1k+ | Request data is not unslashed | ||
| #3483 | Responsify WP | 39 | 90 | 11 | 600 | Unsafe printing function | ||
| #3484 | REST API Helper | 39 | 108 | 85 | 500 | Unsafe printing function | ||
| #3485 | RioVizual — Table Blocks for Comparison, Pricing and Pros & Cons | 39 | 32 | 75 | 1k+ | Nonce verification recommended | ||
| #3486 | Rollbar | 39 | 75 | 14 | 400 | Output is not escaped | ||
| #3487 | Royal Mail Shipping Calculator for WooCommerce | 39 | 61 | 31 | 1k+ | Text Domain Mismatch | ||
| #3488 | Scripts n Styles | 39 | 150 | 92 | 30k+ | Output is not escaped | ||
| #3489 | Easy Smooth Scroll Links | 39 | 64 | 5 | 600 | Output is not escaped | ||
| #3490 | SEO Auto Linker | 39 | 90 | 24 | 1k+ | Text Domain Mismatch | ||
| #3491 | SEO Friendly Images | 39 | 292 | 20 | 20k+ | Output is not escaped | ||
| #3492 | Taxonomy Thumbnail | 39 | 27 | 58 | 3k+ | Non-prefixed function | ||
| #3493 | Shipping by Rules for WooCommerce | 39 | 130 | 48 | 500 | Output is not escaped | ||
| #3494 | Shipping Simulator for WooCommerce | 39 | 120 | 39 | 5k+ | Text Domain Mismatch | ||
| #3495 | Show All Comments | 39 | 108 | 92 | 400 | Nonce verification recommended | ||
| #3496 | Simpaisa Wallet (Jazzcash & Easypaisa) Payment Services | 39 | 67 | 74 | 1k+ | Interpolated Variable Text | ||
| #3497 | Simple Membership WP user Import | 39 | 22 | 46 | 4k+ | Request data is not unslashed | ||
| #3498 | Simple Posts Ticker – Easy, Lightweight & Flexible | 39 | 151 | 28 | 2k+ | Output is not escaped | ||
| #3499 | Simple Staff List | 39 | 90 | 236 | 3k+ | Non-prefixed global variable | ||
| #3500 | SimpleModal Login | 39 | 50 | 12 | 700 | Unsafe printing function |