WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3551Modal Fly Cart & AJAX Add to Cart for WooCommerce3983742k+Text Domain Mismatch
#3552Claudio Sanches – PagSeguro for WooCommerce39873710k+Unsafe printing function
#3553WooCommerce Product Dependencies3944603k+Missing nonce verification
#3554Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools39322668k+Output is not escaped
#3555WP Accessibility3920010460k+Unsafe printing function
#3556WP Add Custom CSS39452360k+Output is not escaped
#3557Aparat for WordPress3959143k+Output is not escaped
#3558WP Attachments3949443k+Output is not escaped
#3559WP-Cycle3953173k+Output is not escaped
#3560WPEPP – Essential Security, Password Protect & Login Page Customizer3934293k+Unsupported Identifier Placeholder
#3561WP Gmail SMTP3999501k+Text Domain Mismatch
#3562WP Limit Login Attempts39266710k+Direct Query
#3563WP Most Popular3950352k+Output is not escaped
#3564WP Multibyte Patch3924551m+Input is not sanitized
#3565WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload39592710k+Unsafe printing function
#3566WP Realtime Sitemap39464110k+Output is not escaped
#3567WP Revision Master399629900Text Domain Mismatch
#3568WP SendGrid SMTP3999501k+Text Domain Mismatch
#3569WP Server Health Stats39663110k+Output is not escaped
#3570WP Sitemap Control393137400Output is not escaped
#3571WP Sitemaps Config398837700Output is not escaped
#3572WP-Slimbox2 Plugin3977193k+Unsafe printing function
#3573WP Social Widget3923974k+Output is not escaped
#3574SEO Auto Linker3997623k+Unsafe printing function
#3575Categories to Tags Converter39863850k+Output is not escaped
#3576WPS Child Theme Generator39111856k+Unsafe printing function
#3577WPS Limit Login3915276100k+Output is not escaped
#3578Yandex Metrica39924620k+Output is not escaped
#3579YITH Custom Login3986335k+Output is not escaped
#3580You can quote me on that395737400Output is not escaped
#3581Z398469500Output is not escaped
#3582htaccess protect392833800Input is not validated
#3583404 Notifier403941700Output is not escaped
#3584AccessibleWP – ALT Detector405514500Text Domain Mismatch
#3585ACF qTranslate40184258k+Output is not escaped
#3586ACF Theme Code for Advanced Custom Fields404784010k+Output is not escaped
#3587ACF to Custom Database Tables403664600Nonce verification recommended
#3588Add Pinterest conversion tags for Pinterest Ads + Site verification4088261k+Output is not escaped
#3589Add & Replace Affiliate Links for Amazon403952600Output is not escaped
#3590Subscribe Button by AddToAny409347900Output is not escaped
#3591Address Autocomplete Anything409432900Unsafe printing function
#3592Admin Search4031471k+Output is not escaped
#3593Advanced Admin Search407948600Non Singular String Literal Text
#3594Advanced Custom Fields: Font Awesome Field403327090k+Text Domain Mismatch
#3595Advanced WooCommerce Product Gallery Slider4042483k+Non-prefixed global variable
#3596Advanced WPLink4067191k+Text Domain Mismatch
#3597AgreeMe Checkboxes For WooCommerce408844600Text Domain Mismatch
#3598AJAX Thumbnail Rebuild40381430k+Unsafe printing function
#3599Allow Multiple Accounts40115199k+Non Singular String Literal Domain
#3600amCharts: Charts and Maps402631132k+Text Domain Mismatch