WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3651 | Free Cookie Notice & Consent Banner for Privacy Compliance (GDPR, CCPA, DSGVO and others) | 40 | 39 | 15 | 6k+ | Missing direct file access protection | ||
| #3652 | Copyscape Premium | 40 | 148 | 133 | 800 | SQL query is not prepared | ||
| #3653 | Corona Virus Data | 40 | 279 | 27 | 1k+ | Unsafe printing function | ||
| #3654 | Coupon Generator for WooCommerce | 40 | 39 | 28 | 10k+ | Unsafe printing function | ||
| #3655 | Crisp – Live Chat and Chatbot | 40 | 24 | 20 | 20k+ | Unsafe printing function | ||
| #3656 | Cron Logger | 40 | 49 | 36 | 1k+ | Output is not escaped | ||
| #3657 | Cryout Serious Theme Settings | 40 | 332 | 51 | 40k+ | Output is not escaped | ||
| #3658 | Cryptocurrency Widgets Pack | 40 | 222 | 52 | 700 | Unsafe printing function | ||
| #3659 | Crypto Price Widgets – CryptoWP | 40 | 103 | 43 | 600 | Output is not escaped | ||
| #3660 | Custom Contact Forms | 40 | 13 | 106 | 6k+ | Missing nonce verification | ||
| #3661 | Custom Simple Rss | 40 | 73 | 130 | 2k+ | Nonce verification recommended | ||
| #3662 | Dashboard Welcome for Beaver Builder | 40 | 38 | 24 | 2k+ | Output is not escaped | ||
| #3663 | Delete Me | 40 | 116 | 17 | 7k+ | Output is not escaped | ||
| #3664 | Donation Thermometer | 40 | 324 | 88 | 2k+ | Output is not escaped | ||
| #3665 | Duplicate Page | 40 | 39 | 43 | 3m+ | Unsafe printing function | ||
| #3666 | Easy Document Embedder – Embed Word, excel, Powerpoint, Pdf file and more.. | 40 | 55 | 27 | 500 | Output is not escaped | ||
| #3667 | Easy Image Collage | 40 | 96 | 18 | 4k+ | Unsafe printing function | ||
| #3668 | Easy Textillate | 40 | 63 | 12 | 1k+ | Unsafe printing function | ||
| #3669 | Contact Form 7 styler for Elementor Page Builder | 40 | 126 | 10 | 800 | Unsafe printing function | ||
| #3670 | Enhanced Custom Permalinks | 40 | 51 | 82 | 1k+ | Nonce verification recommended | ||
| #3671 | Eventer | 40 | 61 | 55 | 1k+ | Output is not escaped | ||
| #3672 | Expiring Posts | 40 | 52 | 20 | 900 | Missing Arg Domain | ||
| #3673 | Export Post Info | 40 | 66 | 3 | 1k+ | Unsafe printing function | ||
| #3674 | Fan Page Widget by ThemeNcode | 40 | 108 | 3 | 1k+ | Output is not escaped | ||
| #3675 | FAQ Concertina | 40 | 43 | 16 | 600 | Output is not escaped | ||
| #3676 | FAQ Schema – Accordion, Tab, Slider & Gutenberg Block | 40 | 253 | 46 | 2k+ | Output is not escaped | ||
| #3677 | Far Future Expiry Header | 40 | 25 | 36 | 7k+ | Request data is not unslashed | ||
| #3678 | Fast User Switching | 40 | 28 | 28 | 2k+ | Output is not escaped | ||
| #3679 | Featured Post | 40 | 36 | 18 | 800 | Output is not escaped | ||
| #3680 | FluentComments – Spam protection, AntiSpam, Ajax Enhanced Comments | 40 | 50 | 47 | 700 | Non-prefixed global variable | ||
| #3681 | Flying Scripts: Delay JavaScript to Improve Site Speed & Performance | 40 | 23 | 44 | 30k+ | Missing direct file access protection | ||
| #3682 | FlyWP Helper – Page Cache, Page Optimization, Emails for FlyWP Server Control Panel | 40 | 20 | 81 | 4k+ | Non-prefixed global variable | ||
| #3683 | Full Background Manager | 40 | 37 | 24 | 7k+ | Output is not escaped | ||
| #3684 | Analytics Germanized for Google Analytics (GDPR / DSGVO) | 40 | 49 | 14 | 7k+ | Output is not escaped | ||
| #3685 | Osom Author Pro | 40 | 83 | 22 | 1k+ | Output is not escaped | ||
| #3686 | Get Cash | 40 | 84 | 49 | 500 | Non Singular String Literal Domain | ||
| #3687 | GetPaid > Item Inventory | 40 | 112 | 52 | 400 | Text Domain Mismatch | ||
| #3688 | Product Enquiry for WooCommerce | 40 | 57 | 41 | 3k+ | Output is not escaped | ||
| #3689 | Gravity Forms Data Persistence Add-On Reloaded | 40 | 14 | 38 | 700 | Input is not sanitized | ||
| #3690 | Header Footer Custom Html | 40 | 95 | 22 | 1k+ | Unsafe printing function | ||
| #3691 | Header Promo – Show Top Bar Message or Call to Action | 40 | 472 | 45 | 400 | Output is not escaped | ||
| #3692 | heatmap for WordPress – Realtime analytics | 40 | 94 | 15 | 1k+ | Non Singular String Literal Domain | ||
| #3693 | WP Armour – Honeypot Anti Spam | 40 | 54 | 66 | 400k+ | Missing nonce verification | ||
| #3694 | I Agree! Popups | 40 | 54 | 46 | 500 | Output is not escaped | ||
| #3695 | iCalendrier | 40 | 65 | 7 | 700 | Output is not escaped | ||
| #3696 | If Widget – Visibility control for Widgets | 40 | 99 | 25 | 1k+ | Unsafe printing function | ||
| #3697 | IFrame Widget | 40 | 87 | 1 | 500 | Output is not escaped | ||
| #3698 | Image Editor by Pixo | 40 | 126 | 66 | 800 | Output is not escaped | ||
| #3699 | Correios Automático – Rastreio, Frete, Etiqueta, Declaração e Devolução | 40 | 32 | 56 | 4k+ | Non-prefixed global variable | ||
| #3700 | Interactive US Map | 40 | 136 | 54 | 400 | Text Domain Mismatch |