WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3801 | Thin Out Revisions | 40 | 93 | 35 | 800 | Non Singular String Literal Domain | ||
| #3802 | Timed Content | 40 | 76 | 63 | 5k+ | Unsafe printing function | ||
| #3803 | Timeline History | 40 | 31 | 17 | 500 | Output is not escaped | ||
| #3804 | Tumblr Widget | 40 | 106 | 1 | 400 | Output is not escaped | ||
| #3805 | turboSMTP | 40 | 114 | 112 | 400 | Unsafe printing function | ||
| #3806 | TW Recent Posts Widget | 40 | 97 | 14 | 1k+ | Output is not escaped | ||
| #3807 | TZ Flickr Widget | 40 | 67 | 7 | 500 | Output is not escaped | ||
| #3808 | Ultimate Custom Cursor | 40 | 138 | 3 | 800 | Output is not escaped | ||
| #3809 | Ultimate Noindex Nofollow Tool II | 40 | 38 | 51 | 3k+ | Input is not validated | ||
| #3810 | Ultimate Member – ForumWP forum integration | 40 | 31 | 73 | 500 | Nonce verification recommended | ||
| #3811 | Universal Honey Pot | 40 | 23 | 94 | 1k+ | Missing nonce verification | ||
| #3812 | Unlimited Logo Carousel | 40 | 286 | 15 | 500 | Text Domain Mismatch | ||
| #3813 | Upcoming Events Lists | 40 | 75 | 17 | 900 | Text Domain Mismatch | ||
| #3814 | Url Rewrite Analyzer | 40 | 73 | 23 | 400 | Unsafe printing function | ||
| #3815 | UsersWP – ReCaptcha | 40 | 80 | 17 | 3k+ | Text Domain Mismatch | ||
| #3816 | UTM Leads Tracker – XLPlugins | 40 | 21 | 38 | 400 | Output is not escaped | ||
| #3817 | Visibility Control for LearnDash | 40 | 55 | 23 | 1k+ | Missing Arg Domain | ||
| #3818 | Visibility Control for LearnPress | 40 | 52 | 19 | 700 | Missing Arg Domain | ||
| #3819 | Visma Pay for Woocommerce | 40 | 27 | 37 | 2k+ | Output is not escaped | ||
| #3820 | Visual Builder for Contact Form 7 | 40 | 20 | 43 | 500 | Output is not escaped | ||
| #3821 | Visual Editor Custom Buttons | 40 | 30 | 48 | 4k+ | Output is not escaped | ||
| #3822 | WP Sticky Button – Click to Chat | 40 | 73 | 64 | 10k+ | Non-prefixed global variable | ||
| #3823 | WooBooster Partial COD for WooCommerce | 40 | 90 | 51 | 500 | Text Domain Mismatch | ||
| #3824 | Where Did You Hear About Us Checkout Field for WooCommerce | 40 | 57 | 66 | 1k+ | Output is not escaped | ||
| #3825 | WC Search Orders By Product | 40 | 47 | 66 | 800 | Nonce verification recommended | ||
| #3826 | Webo-facto | 40 | 41 | 102 | 800 | Nonce verification recommended | ||
| #3827 | Weight Based Pricing for WooCommerce | 40 | 167 | 86 | 600 | Text Domain Mismatch | ||
| #3828 | Wider Admin Menu | 40 | 76 | 17 | 2k+ | Output is not escaped | ||
| #3829 | Widget Builder | 40 | 40 | 52 | 500 | Non-prefixed global variable | ||
| #3830 | Widget Menuizer | 40 | 44 | 26 | 600 | Missing Arg Domain | ||
| #3831 | Widget Visibility Without Jetpack | 40 | 74 | 47 | 5k+ | Text Domain Mismatch | ||
| #3832 | Widgets Control | 40 | 92 | 47 | 800 | Output is not escaped | ||
| #3833 | Wonder Video Embed | 40 | 94 | 4 | 4k+ | Output is not escaped | ||
| #3834 | WPC Frequently Bought Together for WooCommerce | 40 | 63 | 109 | 10k+ | Output is not escaped | ||
| #3835 | Eurobank WooCommerce Payment Gateway | 40 | 66 | 43 | 2k+ | Non Singular String Literal Domain | ||
| #3836 | Preview E-mails for WooCommerce | 40 | 35 | 37 | 30k+ | Unsafe printing function | ||
| #3837 | NP Quote Request for WooCommerce | 40 | 91 | 145 | 9k+ | Non-prefixed global variable | ||
| #3838 | Total Sales Counts for WooCommerce | 40 | 121 | 62 | 700 | SQL query is not prepared | ||
| #3839 | Additional Variation Images Gallery for WooCommerce | 40 | 60 | 129 | 20k+ | Non-prefixed global variable | ||
| #3840 | Wallet for WooCommerce | 40 | 32 | 524 | 20k+ | Non-prefixed hook name | ||
| #3841 | yubikey-plugin | 40 | 64 | 33 | 400 | Text Domain Mismatch | ||
| #3842 | All In One SEO Pack for WooCommerce | 40 | 57 | 25 | 3k+ | Text Domain Mismatch | ||
| #3843 | Simple Registration for WooCommerce | 40 | 27 | 55 | 4k+ | Missing nonce verification | ||
| #3844 | WooSidebars | 40 | 43 | 37 | 100k+ | Missing Translators Comment | ||
| #3845 | WP Ajax Load More Pagination and Infinite Scroll | 40 | 63 | 15 | 400 | Output is not escaped | ||
| #3846 | WP Compress for MainWP | 40 | 20 | 36 | 700 | Output is not escaped | ||
| #3847 | Custom CSS/JS | 40 | 58 | 34 | 800 | Text Domain Mismatch | ||
| #3848 | WP Date and Time Shortcode | 40 | 90 | 12 | 10k+ | Output is not escaped | ||
| #3849 | WP Discord Invite | 40 | 73 | 42 | 400 | Unsafe printing function | ||
| #3850 | Easy PayPal & Stripe Buy Now Button | 40 | 388 | 96 | 10k+ | Unsafe printing function |