WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4001My Favorites4135341k+Output is not escaped
#4002My Wp Brand – Hide menu & Hide Plugin4174502k+Non Singular String Literal Domain
#4003Native Emoji4154375k+Unsafe printing function
#4004Nepali Date Utilities4151151k+date date
#4005Grid Gallery – for Photo Gallery, Image Gallery & Portfolio419741k+Request data is not unslashed
#4006Omnibus — show the lowest price41353710k+Output is not escaped
#4007Live Chat & AI Chatbot – onWebChat413191700error log error log
#4008Optimus – WordPress Image Optimizer41522030k+Unsafe printing function
#4009OSS Aliyun4119404k+Request data is not unslashed
#4010Page Loading Effects4168242k+Output is not escaped
#4011Page & Post Notes4112771k+Non-prefixed global variable
#4012Page Specific Menu Items4178192k+Output is not escaped
#4013Pages In Widgets4113163k+Output is not escaped
#4014Passwordless Login4140241k+Output is not escaped
#4015المنتور فارسی41195440k+Nonce verification recommended
#4016Personalize Login414784500Nonce verification recommended
#4017Phone Button4125203700Non-prefixed global variable
#4018Plugin Activation Tracker4136241k+Text Domain Mismatch
#4019Web Accessibility (formally known as Ally) – WCAG Scanning, Guided Fixes, Usability Widget414738500k+Output is not escaped
#4020Post Cloner4125151k+Text Domain Mismatch
#4021Posts 2 Posts41427310k+Non Singular String Literal Domain
#4022Posts Viewed Recently415816700Output is not escaped
#4023Powie's WHOIS Domain Check413811500Unsafe printing function
#4024Preload LCP Image41110314k+Unsafe printing function
#4025Prevent Landscape Rotation4131271k+Output is not escaped
#4026Pricing Table For WPBakery Page Builder411307600Output is not escaped
#4027Product Expiry for WooCommerce4131852k+Request data is not unslashed
#4028Simple Product Options for WooCommerce4162413k+Output is not escaped
#4029Product Questions & Answers for WooCommerce418195400Output is not escaped
#4030Quick View WooCommerce4180121k+Output is not escaped
#4031Recurring PayPal Donations414847800Text Domain Mismatch
#4032wpSUBpages Redirect412427600Output is not escaped
#4033Responsive Lightbox41681010k+Output is not escaped
#4034Revision Control41602840k+Output is not escaped
#4035Revisionize4154244k+Output is not escaped
#4036Send link to friend418147400Output is not escaped
#4037Service Box41150230400Missing nonce verification
#4038Share a Draft413963k+Output is not escaped
#4039Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More414361100k+Request data is not unslashed
#4040Simple CPT41280604k+Unsafe printing function
#4041Simple Like Page – Fast & Privacy-Friendly Page Embeds411453110k+Output is not escaped
#4042Simple Google Photos Grid414821k+Output is not escaped
#4043IP Ban4129392k+Input is not validated
#4044Simple Lightbox412148100k+Nonce verification recommended
#4045Simple Page Access Restriction4166516k+Unsafe printing function
#4046Simple Restrict4134121k+Output is not escaped
#4047Simple Revision Control4134431k+Dynamic hook name
#4048Slate Admin Theme41121196k+Output is not escaped
#4049Smart User Slug Hider4185123k+Output is not escaped
#4050Smooth Scroll Up4161106k+Output is not escaped