WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3801Thin Out Revisions409335800Non Singular String Literal Domain
#3802Timed Content4076635k+Unsafe printing function
#3803Timeline History403117500Output is not escaped
#3804Tumblr Widget401061400Output is not escaped
#3805turboSMTP40114112400Unsafe printing function
#3806TW Recent Posts Widget4097141k+Output is not escaped
#3807TZ Flickr Widget40677500Output is not escaped
#3808Ultimate Custom Cursor401383800Output is not escaped
#3809Ultimate Noindex Nofollow Tool II4038513k+Input is not validated
#3810Ultimate Member – ForumWP forum integration403173500Nonce verification recommended
#3811Universal Honey Pot4023941k+Missing nonce verification
#3812Unlimited Logo Carousel4028615500Text Domain Mismatch
#3813Upcoming Events Lists407517900Text Domain Mismatch
#3814Url Rewrite Analyzer407323400Unsafe printing function
#3815UsersWP – ReCaptcha4080173k+Text Domain Mismatch
#3816UTM Leads Tracker – XLPlugins402138400Output is not escaped
#3817Visibility Control for LearnDash4055231k+Missing Arg Domain
#3818Visibility Control for LearnPress405219700Missing Arg Domain
#3819Visma Pay for Woocommerce4027372k+Output is not escaped
#3820Visual Builder for Contact Form 7402043500Output is not escaped
#3821Visual Editor Custom Buttons4030484k+Output is not escaped
#3822WP Sticky Button – Click to Chat40736410k+Non-prefixed global variable
#3823WooBooster Partial COD for WooCommerce409051500Text Domain Mismatch
#3824Where Did You Hear About Us Checkout Field for WooCommerce4057661k+Output is not escaped
#3825WC Search Orders By Product404766800Nonce verification recommended
#3826Webo-facto4041102800Nonce verification recommended
#3827Weight Based Pricing for WooCommerce4016786600Text Domain Mismatch
#3828Wider Admin Menu4076172k+Output is not escaped
#3829Widget Builder404052500Non-prefixed global variable
#3830Widget Menuizer404426600Missing Arg Domain
#3831Widget Visibility Without Jetpack4074475k+Text Domain Mismatch
#3832Widgets Control409247800Output is not escaped
#3833Wonder Video Embed409444k+Output is not escaped
#3834WPC Frequently Bought Together for WooCommerce406310910k+Output is not escaped
#3835Eurobank WooCommerce Payment Gateway4066432k+Non Singular String Literal Domain
#3836Preview E-mails for WooCommerce40353730k+Unsafe printing function
#3837NP Quote Request for WooCommerce40911459k+Non-prefixed global variable
#3838Total Sales Counts for WooCommerce4012162700SQL query is not prepared
#3839Additional Variation Images Gallery for WooCommerce406012920k+Non-prefixed global variable
#3840Wallet for WooCommerce403252420k+Non-prefixed hook name
#3841yubikey-plugin406433400Text Domain Mismatch
#3842All In One SEO Pack for WooCommerce4057253k+Text Domain Mismatch
#3843Simple Registration for WooCommerce4027554k+Missing nonce verification
#3844WooSidebars404337100k+Missing Translators Comment
#3845WP Ajax Load More Pagination and Infinite Scroll406315400Output is not escaped
#3846WP Compress for MainWP402036700Output is not escaped
#3847Custom CSS/JS405834800Text Domain Mismatch
#3848WP Date and Time Shortcode40901210k+Output is not escaped
#3849WP Discord Invite407342400Unsafe printing function
#3850Easy PayPal & Stripe Buy Now Button403889610k+Unsafe printing function