WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3901Carbon Copy4164893k+Text Domain Mismatch
#3902Easy Social Like Box – Popup – Sidebar Widget41218917k+Text Domain Mismatch
#3903Categorized Tag Cloud4144171k+Output is not escaped
#3904Category Wise Search41589500Output is not escaped
#3905Čeština: zalomení řádků418686k+Text Domain Mismatch
#3906Conditional Fields for Contact Form 74110653100k+Output is not escaped
#3907CF7 Invisible reCAPTCHA4119527k+Request data is not unslashed
#3908Submission DOM tracking for Contact Form 7411448400Text Domain Mismatch
#3909ChatBot Conversational AI Support4172321k+Short PHP open tag found
#3910Checklist416225400Text Domain Mismatch
#3911clickskeks.at Cookiebanner412118500Unsafe printing function
#3912CloudGuard4141131k+Output is not escaped
#3913CMS Tree Page View – Reorder Pages with a Drag-and-Drop Tree411219650k+Unsafe printing function
#3914CoinPayments.net Payment Gateway for WooCommerce4151321k+Text Domain Mismatch
#3915Collapsed Archives415441k+Output is not escaped
#3916Colorful Categories4120202k+Output is not escaped
#3917Comments Like Dislike41172205k+Non Singular String Literal Domain
#3918Contact Form 7 Captcha41775100k+Request data is not unslashed
#3919Contact Form 7 Widget417042k+Output is not escaped
#3920Content Widget41729400Output is not escaped
#3921Contribuinte Checkout4130301k+Output is not escaped
#3922Controlled Admin Access41224010k+Nonce verification recommended
#3923Cookie Notice & Consent41101291k+Output is not escaped
#3924Simple Website Banner411068700Output is not escaped
#3925CurrencyConverter416296700Non Singular String Literal Domain
#3926Custom Meta412329700Output is not escaped
#3927Custom Post Type Cleanup4170121k+Output is not escaped
#3928Custom Recent Posts Widget416341k+Output is not escaped
#3929Dashboard Notepad41293410k+Missing nonce verification
#3930Database for CF74137322k+Text Domain Mismatch
#3931Debug Bar41642520k+Output is not escaped
#3932Developer Loggers for Simple History414628400Text Domain Mismatch
#3933DevVN Local Store4184281k+Unsafe printing function
#3934Dinamize414165500Output is not escaped
#3935Disable Everything41901630k+Output is not escaped
#3936Disqus Conditional Load4138143k+Output is not escaped
#3937DigitalOcean Spaces Sync41808500Text Domain Mismatch
#3938Dropdown multisite selector4182131k+Unsafe printing function
#3939GDPR tools: Cookie notice + privacy416786k+Unsafe printing function
#3940DSGVO Youtube4148291k+Unsafe printing function
#3941Duplicate Post Page Menu & Custom Post Type41351110k+Text Domain Mismatch
#3942Duplicate Page and Post41262180k+Unsafe printing function
#3943Easy Random Quotes414214500Output is not escaped
#3944Edit Lock414722500Non Singular String Literal Domain
#3945Email Address Encoder411098100k+wp function not compatible with requires wp
#3946Embed Chessboard411039600Text Domain Mismatch
#3947Essential Form – The lightest plugin for contact forms, ultra lightweight and no spam412153500Missing nonce verification
#3948Payment Gateway of PayPal for WooCommerce41441847k+Nonce verification recommended
#3949Extra User Details4184151k+Non Singular String Literal Domain
#3950Fast Chat Button41241881k+Non-prefixed global variable