WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3551 | Modal Fly Cart & AJAX Add to Cart for WooCommerce | 39 | 83 | 74 | 2k+ | Text Domain Mismatch | ||
| #3552 | Claudio Sanches – PagSeguro for WooCommerce | 39 | 87 | 37 | 10k+ | Unsafe printing function | ||
| #3553 | WooCommerce Product Dependencies | 39 | 44 | 60 | 3k+ | Missing nonce verification | ||
| #3554 | Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools | 39 | 322 | 66 | 8k+ | Output is not escaped | ||
| #3555 | WP Accessibility | 39 | 200 | 104 | 60k+ | Unsafe printing function | ||
| #3556 | WP Add Custom CSS | 39 | 45 | 23 | 60k+ | Output is not escaped | ||
| #3557 | Aparat for WordPress | 39 | 59 | 14 | 3k+ | Output is not escaped | ||
| #3558 | WP Attachments | 39 | 49 | 44 | 3k+ | Output is not escaped | ||
| #3559 | WP-Cycle | 39 | 53 | 17 | 3k+ | Output is not escaped | ||
| #3560 | WPEPP – Essential Security, Password Protect & Login Page Customizer | 39 | 34 | 29 | 3k+ | Unsupported Identifier Placeholder | ||
| #3561 | WP Gmail SMTP | 39 | 99 | 50 | 1k+ | Text Domain Mismatch | ||
| #3562 | WP Limit Login Attempts | 39 | 26 | 67 | 10k+ | Direct Query | ||
| #3563 | WP Most Popular | 39 | 50 | 35 | 2k+ | Output is not escaped | ||
| #3564 | WP Multibyte Patch | 39 | 24 | 55 | 1m+ | Input is not sanitized | ||
| #3565 | WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload | 39 | 59 | 27 | 10k+ | Unsafe printing function | ||
| #3566 | WP Realtime Sitemap | 39 | 46 | 41 | 10k+ | Output is not escaped | ||
| #3567 | WP Revision Master | 39 | 96 | 29 | 900 | Text Domain Mismatch | ||
| #3568 | WP SendGrid SMTP | 39 | 99 | 50 | 1k+ | Text Domain Mismatch | ||
| #3569 | WP Server Health Stats | 39 | 66 | 31 | 10k+ | Output is not escaped | ||
| #3570 | WP Sitemap Control | 39 | 31 | 37 | 400 | Output is not escaped | ||
| #3571 | WP Sitemaps Config | 39 | 88 | 37 | 700 | Output is not escaped | ||
| #3572 | WP-Slimbox2 Plugin | 39 | 77 | 19 | 3k+ | Unsafe printing function | ||
| #3573 | WP Social Widget | 39 | 239 | 7 | 4k+ | Output is not escaped | ||
| #3574 | SEO Auto Linker | 39 | 97 | 62 | 3k+ | Unsafe printing function | ||
| #3575 | Categories to Tags Converter | 39 | 86 | 38 | 50k+ | Output is not escaped | ||
| #3576 | WPS Child Theme Generator | 39 | 111 | 85 | 6k+ | Unsafe printing function | ||
| #3577 | WPS Limit Login | 39 | 152 | 76 | 100k+ | Output is not escaped | ||
| #3578 | Yandex Metrica | 39 | 92 | 46 | 20k+ | Output is not escaped | ||
| #3579 | YITH Custom Login | 39 | 86 | 33 | 5k+ | Output is not escaped | ||
| #3580 | You can quote me on that | 39 | 57 | 37 | 400 | Output is not escaped | ||
| #3581 | Z | 39 | 84 | 69 | 500 | Output is not escaped | ||
| #3582 | htaccess protect | 39 | 28 | 33 | 800 | Input is not validated | ||
| #3583 | 404 Notifier | 40 | 39 | 41 | 700 | Output is not escaped | ||
| #3584 | AccessibleWP – ALT Detector | 40 | 55 | 14 | 500 | Text Domain Mismatch | ||
| #3585 | ACF qTranslate | 40 | 184 | 25 | 8k+ | Output is not escaped | ||
| #3586 | ACF Theme Code for Advanced Custom Fields | 40 | 478 | 40 | 10k+ | Output is not escaped | ||
| #3587 | ACF to Custom Database Tables | 40 | 36 | 64 | 600 | Nonce verification recommended | ||
| #3588 | Add Pinterest conversion tags for Pinterest Ads + Site verification | 40 | 88 | 26 | 1k+ | Output is not escaped | ||
| #3589 | Add & Replace Affiliate Links for Amazon | 40 | 39 | 52 | 600 | Output is not escaped | ||
| #3590 | Subscribe Button by AddToAny | 40 | 93 | 47 | 900 | Output is not escaped | ||
| #3591 | Address Autocomplete Anything | 40 | 94 | 32 | 900 | Unsafe printing function | ||
| #3592 | Admin Search | 40 | 31 | 47 | 1k+ | Output is not escaped | ||
| #3593 | Advanced Admin Search | 40 | 79 | 48 | 600 | Non Singular String Literal Text | ||
| #3594 | Advanced Custom Fields: Font Awesome Field | 40 | 332 | 70 | 90k+ | Text Domain Mismatch | ||
| #3595 | Advanced WooCommerce Product Gallery Slider | 40 | 42 | 48 | 3k+ | Non-prefixed global variable | ||
| #3596 | Advanced WPLink | 40 | 67 | 19 | 1k+ | Text Domain Mismatch | ||
| #3597 | AgreeMe Checkboxes For WooCommerce | 40 | 88 | 44 | 600 | Text Domain Mismatch | ||
| #3598 | AJAX Thumbnail Rebuild | 40 | 38 | 14 | 30k+ | Unsafe printing function | ||
| #3599 | Allow Multiple Accounts | 40 | 115 | 19 | 9k+ | Non Singular String Literal Domain | ||
| #3600 | amCharts: Charts and Maps | 40 | 263 | 113 | 2k+ | Text Domain Mismatch |