WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3701JSM Show Order Metadata for WooCommerce HPOS401764700Nonce verification recommended
#3702JSM Show Post Metadata40156610k+Nonce verification recommended
#3703JSM Show Term Metadata401464900Nonce verification recommended
#3704JSM Show User Metadata4014643k+Nonce verification recommended
#3705La Sentinelle antispam4088463k+Output is not escaped
#3706Flag Icons40300193k+Output is not escaped
#3707Social Like Box and Page by WpDevArt4062245k+Output is not escaped
#3708Limit Login Attempts408138300k+Output is not escaped
#3709Links shortcode407313900Unsafe printing function
#3710Listdomer Core404592400Non-prefixed global variable
#3711WP All Import – Listings Import for Listify403427400Output is not escaped
#3712LJ Multi Column Archive4017251k+Output is not escaped
#3713LLM Bot Tracker – AI Crawler Detection & Analytics401890700Database parameter is not escaped
#3714Logbook4033591k+Nonce verification recommended
#3715WPO365 | Mail Integration for Office 365 / Outlook4059272k+Output is not escaped
#3716MailerSend – Official SMTP Integration4039252k+Unsafe printing function
#3717Manual Image Crop40178618k+Output is not escaped
#3718Mark New Posts406139500Non Singular String Literal Domain
#3719MAS Company Reviews For WP Job Manager4044711k+Output is not escaped
#3720Mass Email To Users408481800Output is not escaped
#3721MembershipWorks – Membership, Events & Directory4041292k+Output is not escaped
#3722Mobile Contact Line40393551k+Non-prefixed global variable
#3723WP Mobile Redirect404420400Text Domain Mismatch
#3724Monkeyman Rewrite Analyzer4089102k+Non Singular String Literal Domain
#3725코드엠샵 소셜톡404736400Output is not escaped
#3726Multiple Featured Images4050225k+Output is not escaped
#3727My Social Feeds – Social Feeds Embedder Plugin for WP40877400Request data is not unslashed
#3728Flying Images: Optimize and Lazy Load Images for Faster Page Speed4032583k+Missing direct file access protection
#3729NextGEN Gallery Sidebar Widget405910500Output is not escaped
#3730No-Bot Registration40112422k+Unsafe printing function
#3731No CAPTCHA reCAPTCHA40112264k+Text Domain Mismatch
#3732One Click SSL401366210k+Unsafe printing function
#3733OPML Importer4035133k+Output is not escaped
#3734Owl Carousel WP4062191k+Output is not escaped
#3735Page As Subdomain Lite406125500Output is not escaped
#3736Page Comments Off Please4017291k+Nonce verification recommended
#3737Donations via PayPal401431720k+Output is not escaped
#3738Give – Paystack Gateway4096101k+Text Domain Mismatch
#3739Paystack MemberPress407176400Output is not escaped
#3740PE Recent Posts40292112k+Output is not escaped
#3741Permalink Editor4050281k+Output is not escaped
#3742Permalink Manager for WooCommerce40115208k+Short PHP open tag found
#3743List Petfinder Pets4012146400Output is not escaped
#3744Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels40682493k+Missing nonce verification
#3745Popup addon for Ninja Forms40121251k+Output is not escaped
#3746Post Ratings4016032600Output is not escaped
#3747Post Tiles40465400Output is not escaped
#3748Requirements Checklist4020022900Output is not escaped
#3749Private Google Calendars40227371k+Output is not escaped
#3750Privilege Widget4013952600Text Domain Mismatch