WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3951 | Fast Chat Button | 41 | 24 | 188 | 1k+ | Non-prefixed global variable | ||
| #3952 | Heroic Favicon Generator | 41 | 104 | 7 | 6k+ | Output is not escaped | ||
| #3953 | Feature A Page Widget | 41 | 66 | 5 | 3k+ | Output is not escaped | ||
| #3954 | Featured Audio | 41 | 54 | 9 | 400 | Output is not escaped | ||
| #3955 | Featured Image Generator | 41 | 31 | 16 | 1k+ | Output is not escaped | ||
| #3956 | Flexible Posts Widget | 41 | 136 | 33 | 8k+ | Output is not escaped | ||
| #3957 | FluentAffiliate – Affiliate Program Management Suite, Affiliates Manager | 41 | 115 | 14 | 1k+ | Exception output is not escaped | ||
| #3958 | Gallery Lightbox | 41 | 47 | 16 | 10k+ | Output is not escaped | ||
| #3959 | Genesis Featured Page Advanced | 41 | 209 | 4 | 7k+ | Output is not escaped | ||
| #3960 | Genesis Footer Builder | 41 | 124 | 3 | 1k+ | Output is not escaped | ||
| #3961 | Google Authenticator | 41 | 39 | 65 | 20k+ | Output is not escaped | ||
| #3962 | (Simply) Guest Author Name | 41 | 35 | 36 | 2k+ | Output is not escaped | ||
| #3963 | Hide My Dates | 41 | 50 | 11 | 400 | Unsafe printing function | ||
| #3964 | Hide WP Admin Login | 41 | 23 | 39 | 500 | Nonce verification recommended | ||
| #3965 | Highcompress Image Compressor | 41 | 106 | 69 | 600 | Text Domain Mismatch | ||
| #3966 | iCount Payment Gateway | 41 | 153 | 22 | 500 | Text Domain Mismatch | ||
| #3967 | Image Editor by Pixo | 41 | 120 | 68 | 800 | Output is not escaped | ||
| #3968 | Import external attachments | 41 | 18 | 26 | 2k+ | Output is not escaped | ||
| #3969 | Infinite Ajax Scrolling Lite For Woocommerce | 41 | 33 | 28 | 500 | Output is not escaped | ||
| #3970 | Inpost Paczkomaty | 41 | 35 | 68 | 8k+ | Text Domain Mismatch | ||
| #3971 | Insert JavaScript and CSS | 41 | 64 | 19 | 400 | Text Domain Mismatch | ||
| #3972 | Jellyfish Counter Widget | 41 | 174 | 5 | 1k+ | Output is not escaped | ||
| #3973 | Multiple Themes | 41 | 112 | 41 | 10k+ | Output is not escaped | ||
| #3974 | jQuery Vertical Scroller | 41 | 110 | 4 | 400 | Output is not escaped | ||
| #3975 | Social Sharing Plugin – Kiwi | 41 | 23 | 80 | 4k+ | Non-prefixed global variable | ||
| #3976 | Ko-fi Button | 41 | 75 | 15 | 5k+ | Output is not escaped | ||
| #3977 | Central Color Palette | 41 | 73 | 33 | 10k+ | Output is not escaped | ||
| #3978 | Lazy Load Optimizer | 41 | 63 | 26 | 3k+ | Unsafe printing function | ||
| #3979 | Lazy Load XT | 41 | 87 | 7 | 600 | Non Singular String Literal Domain | ||
| #3980 | LH Agree to Terms | 41 | 59 | 32 | 800 | Output is not escaped | ||
| #3981 | Lockdown WP Admin | 41 | 20 | 50 | 10k+ | Request data is not unslashed | ||
| #3982 | Log cleaner for Solid Security | 41 | 65 | 47 | 8k+ | Text Domain Mismatch | ||
| #3983 | Magic Liquidizer Responsive Table | 41 | 114 | 38 | 6k+ | Text Domain Mismatch | ||
| #3984 | MaxLimits – Increase Maximum Upload, Post & PHP Limits | 41 | 99 | 16 | 2k+ | Unsafe printing function | ||
| #3985 | MaxSlider | 41 | 21 | 45 | 7k+ | Output is not escaped | ||
| #3986 | Meks Flexible Shortcodes | 41 | 133 | 1 | 10k+ | Unsafe printing function | ||
| #3987 | Mihdan: Yandex Turbo Feed | 41 | 65 | 39 | 1k+ | Output is not escaped | ||
| #3988 | Mobile Contact Bar | 41 | 94 | 36 | 10k+ | Unsafe printing function | ||
| #3989 | Most Popular Categories | 41 | 67 | 2 | 600 | Output is not escaped | ||
| #3990 | MouseWheel Smooth Scroll | 41 | 104 | 7 | 100k+ | Text Domain Mismatch | ||
| #3991 | MS Custom Login | 41 | 117 | 6 | 900 | Unsafe printing function | ||
| #3992 | Multiple Domain | 41 | 42 | 17 | 10k+ | Output is not escaped | ||
| #3993 | My Favorites | 41 | 35 | 34 | 1k+ | Output is not escaped | ||
| #3994 | My Wp Brand – Hide menu & Hide Plugin | 41 | 74 | 50 | 2k+ | Non Singular String Literal Domain | ||
| #3995 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe printing function | ||
| #3996 | Nepali Date Utilities | 41 | 51 | 15 | 1k+ | date date | ||
| #3997 | Grid Gallery – for Photo Gallery, Image Gallery & Portfolio | 41 | 9 | 74 | 1k+ | Request data is not unslashed | ||
| #3998 | Omnibus — show the lowest price | 41 | 35 | 37 | 10k+ | Output is not escaped | ||
| #3999 | Live Chat & AI Chatbot – onWebChat | 41 | 31 | 91 | 700 | error log error log | ||
| #4000 | Optimus – WordPress Image Optimizer | 41 | 52 | 20 | 30k+ | Unsafe printing function |