WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3851WP Paint – WordPress Image Editor4030296k+Missing Arg Domain
#3852WP Posts Carousel40199123k+Unsafe printing function
#3853QR code MeCard/vCard generator40322212k+Unsafe printing function
#3854WP Reroute Email401411061k+Output is not escaped
#3855Sentry for WordPress40804010k+Text Domain Mismatch
#3856Social Share Buttons & Analytics Plugin – GetSocial.io4097252k+Output is not escaped
#3857WP Tab Widget401283210k+Output is not escaped
#3858WP Theme Test4021397k+Input is not sanitized
#3859WPC Force Sells for WooCommerce403897600Output is not escaped
#3860WPC Smart Price Filter for WooCommerce402362600Nonce verification recommended
#3861WPFront Notification Bar402224450k+Output is not escaped
#3862WPS Menu Exporter40472210k+Output is not escaped
#3863XLTab – Accordions and Tabs for Elementor Page Builder40317651k+Text Domain Mismatch
#3864Yektanet Ecommerce4045103900Request data is not unslashed
#3865My YouTube Channel4054385k+Output is not escaped
#3866Zippy4043319k+Output is not escaped
#3867Simple Counter4160121k+Unsafe printing function
#3868AMP for WP – Accelerated Mobile Pages416562,40180k+Non-prefixed global variable
#3869ACF: Advanced Taxonomy Selector4156151k+Output is not escaped
#3870Ad Auto Insert H41496151k+Non Singular String Literal Domain
#3871Add-on Contact Form 7 – MailPoet 34188123k+Output is not escaped
#3872Add Chat App Button4182122k+Output is not escaped
#3873AddQuicktag418610100k+Output is not escaped
#3874Advance Bank Payment Transfer Gateway41105621k+Text Domain Mismatch
#3875ACF: Google Map Extended411418800Text Domain Mismatch
#3876Advanced Excerpt41694370k+Unsafe printing function
#3877AffiliateWP – Affiliate Product Rates4184242k+Output is not escaped
#3878Age Verify4129311k+Output is not escaped
#3879AH Display Widgets4152168k+Text Domain Mismatch
#3880Schema – All In One Schema Rich Snippets4159818030k+Text Domain Mismatch
#3881Alma – Pay in installments or later for WooCommerce41116681k+Exception output is not escaped
#3882Amazon Link Engine4138172k+Output is not escaped
#3883Amazon Web Services4153215k+Missing Translators Comment
#3884Announcer – Sticky Message Banner & Notification Bar411102710k+Output is not escaped
#3885Antispam411141400Missing nonce verification
#3886ATP Call Now41987700Output is not escaped
#3887Authenticator4159441k+Output is not escaped
#3888Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO)4117526100k+Unsafe printing function
#3889Autocomplete Google Address4121672k+Nonce verification recommended
#3890Avatar Manager4129415k+Unsafe printing function
#3891Backend Designer4150111k+Output is not escaped
#3892Beam me up Scotty – Back to Top Button4171381k+Output is not escaped
#3893Beautiful Cookie Consent Banner41337640k+Non-prefixed global variable
#3894Book Now4175141k+Output is not escaped
#3895Bop Search Box Item Type For Nav Menus4152141k+Output is not escaped
#3896BuddyPress Xprofile Custom Field Types41391894k+Missing nonce verification
#3897BuddyPress Edit Activity412826800Output is not escaped
#3898Bulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO)4116371k+Missing nonce verification
#3899Bulk Images to Posts415551k+Unsafe printing function
#3900Buzzsprout Podcasting4175135k+Non Singular String Literal Domain