WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3701 | JSM Show Order Metadata for WooCommerce HPOS | 40 | 17 | 64 | 700 | Nonce verification recommended | ||
| #3702 | JSM Show Post Metadata | 40 | 15 | 66 | 10k+ | Nonce verification recommended | ||
| #3703 | JSM Show Term Metadata | 40 | 14 | 64 | 900 | Nonce verification recommended | ||
| #3704 | JSM Show User Metadata | 40 | 14 | 64 | 3k+ | Nonce verification recommended | ||
| #3705 | La Sentinelle antispam | 40 | 88 | 46 | 3k+ | Output is not escaped | ||
| #3706 | Flag Icons | 40 | 300 | 19 | 3k+ | Output is not escaped | ||
| #3707 | Social Like Box and Page by WpDevArt | 40 | 62 | 24 | 5k+ | Output is not escaped | ||
| #3708 | Limit Login Attempts | 40 | 81 | 38 | 300k+ | Output is not escaped | ||
| #3709 | Links shortcode | 40 | 73 | 13 | 900 | Unsafe printing function | ||
| #3710 | Listdomer Core | 40 | 45 | 92 | 400 | Non-prefixed global variable | ||
| #3711 | WP All Import – Listings Import for Listify | 40 | 34 | 27 | 400 | Output is not escaped | ||
| #3712 | LJ Multi Column Archive | 40 | 17 | 25 | 1k+ | Output is not escaped | ||
| #3713 | LLM Bot Tracker – AI Crawler Detection & Analytics | 40 | 18 | 90 | 700 | Database parameter is not escaped | ||
| #3714 | Logbook | 40 | 33 | 59 | 1k+ | Nonce verification recommended | ||
| #3715 | WPO365 | Mail Integration for Office 365 / Outlook | 40 | 59 | 27 | 2k+ | Output is not escaped | ||
| #3716 | MailerSend – Official SMTP Integration | 40 | 39 | 25 | 2k+ | Unsafe printing function | ||
| #3717 | Manual Image Crop | 40 | 178 | 61 | 8k+ | Output is not escaped | ||
| #3718 | Mark New Posts | 40 | 61 | 39 | 500 | Non Singular String Literal Domain | ||
| #3719 | MAS Company Reviews For WP Job Manager | 40 | 44 | 71 | 1k+ | Output is not escaped | ||
| #3720 | Mass Email To Users | 40 | 84 | 81 | 800 | Output is not escaped | ||
| #3721 | MembershipWorks – Membership, Events & Directory | 40 | 41 | 29 | 2k+ | Output is not escaped | ||
| #3722 | Mobile Contact Line | 40 | 39 | 355 | 1k+ | Non-prefixed global variable | ||
| #3723 | WP Mobile Redirect | 40 | 44 | 20 | 400 | Text Domain Mismatch | ||
| #3724 | Monkeyman Rewrite Analyzer | 40 | 89 | 10 | 2k+ | Non Singular String Literal Domain | ||
| #3725 | 코드엠샵 소셜톡 | 40 | 47 | 36 | 400 | Output is not escaped | ||
| #3726 | Multiple Featured Images | 40 | 50 | 22 | 5k+ | Output is not escaped | ||
| #3727 | My Social Feeds – Social Feeds Embedder Plugin for WP | 40 | 8 | 77 | 400 | Request data is not unslashed | ||
| #3728 | Flying Images: Optimize and Lazy Load Images for Faster Page Speed | 40 | 32 | 58 | 3k+ | Missing direct file access protection | ||
| #3729 | NextGEN Gallery Sidebar Widget | 40 | 59 | 10 | 500 | Output is not escaped | ||
| #3730 | No-Bot Registration | 40 | 112 | 42 | 2k+ | Unsafe printing function | ||
| #3731 | No CAPTCHA reCAPTCHA | 40 | 112 | 26 | 4k+ | Text Domain Mismatch | ||
| #3732 | One Click SSL | 40 | 136 | 62 | 10k+ | Unsafe printing function | ||
| #3733 | OPML Importer | 40 | 35 | 13 | 3k+ | Output is not escaped | ||
| #3734 | Owl Carousel WP | 40 | 62 | 19 | 1k+ | Output is not escaped | ||
| #3735 | Page As Subdomain Lite | 40 | 61 | 25 | 500 | Output is not escaped | ||
| #3736 | Page Comments Off Please | 40 | 17 | 29 | 1k+ | Nonce verification recommended | ||
| #3737 | Donations via PayPal | 40 | 143 | 17 | 20k+ | Output is not escaped | ||
| #3738 | Give – Paystack Gateway | 40 | 96 | 10 | 1k+ | Text Domain Mismatch | ||
| #3739 | Paystack MemberPress | 40 | 71 | 76 | 400 | Output is not escaped | ||
| #3740 | PE Recent Posts | 40 | 292 | 11 | 2k+ | Output is not escaped | ||
| #3741 | Permalink Editor | 40 | 50 | 28 | 1k+ | Output is not escaped | ||
| #3742 | Permalink Manager for WooCommerce | 40 | 115 | 20 | 8k+ | Short PHP open tag found | ||
| #3743 | List Petfinder Pets | 40 | 121 | 46 | 400 | Output is not escaped | ||
| #3744 | Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels | 40 | 68 | 249 | 3k+ | Missing nonce verification | ||
| #3745 | Popup addon for Ninja Forms | 40 | 121 | 25 | 1k+ | Output is not escaped | ||
| #3746 | Post Ratings | 40 | 160 | 32 | 600 | Output is not escaped | ||
| #3747 | Post Tiles | 40 | 46 | 5 | 400 | Output is not escaped | ||
| #3748 | Requirements Checklist | 40 | 200 | 22 | 900 | Output is not escaped | ||
| #3749 | Private Google Calendars | 40 | 227 | 37 | 1k+ | Output is not escaped | ||
| #3750 | Privilege Widget | 40 | 139 | 52 | 600 | Text Domain Mismatch |