WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4101Simple Accessibility Button4133171900Non-prefixed global variable
#4102Z-Credit Checkout – WooCommerce Payment Gateway4115122900Text Domain Mismatch
#4103Zilla Portfolio4113915400Text Domain Mismatch
#4104Pricing Table – Responsive & Easy421171483k+Non-prefixed global variable
#4105ActiveTrail – Contact Form 7421885600Missing nonce verification
#4106Add to Cart Button Custom Text429849k+Text Domain Mismatch
#4107Add to Home Screen & Progressive Web App4223681k+Request data is not unslashed
#4108Affiliate Link Tracker422449500Request data is not unslashed
#4109Agoda Affiliate Partners Text Link Generator42440500Interpolated SQL is not prepared
#4110Post Grid Master — Post Grids & AJAX Filters42441151k+Non-prefixed global variable
#4111All-in-one Like Widget4216521k+Text Domain Mismatch
#4112Open Currency Converter4259191k+Unsafe printing function
#4113Automatic NBSP4224163k+Output is not escaped
#4114AweSplash – Just Splash Page423934400Output is not escaped
#4115多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条4217382k+Input is not sanitized
#4116Basic SEO Pack42868700Output is not escaped
#4117Bazz CallBack widget4255283k+Unsafe printing function
#4118Block Temporary Email423313500Unsafe printing function
#4119Booking.com Official Search Box4236322k+Output is not escaped
#4120BP Auto Group Join425555700Output is not escaped
#4121Bulk Change Media Author4225202k+Unsafe printing function
#4122CCAvenue Payment Gateway for WooCommerce4253403k+Text Domain Mismatch
#4123Custom Spinner for Contact Form 74236111k+Output is not escaped
#4124HTML Template for CF74221271k+Non-prefixed global variable
#4125Change Background Color for Pages, Posts, Widgets42357500Text Domain Mismatch
#4126Chartbeat4233181k+Output is not escaped
#4127Cities Shipping Zones for WooCommerce4294444k+Text Domain Mismatch
#4128Clover Payments for WooCommerce4225152k+Exception output is not escaped
#4129Comment Blacklist Updater4245151k+Output is not escaped
#4130Comment Reply Email422123500Unsafe printing function
#4131Companion Revision Manager – Revision Control4218284k+Unsafe printing function
#4132Confetti42136173k+Unsafe printing function
#4133Contact Form 7 add confirm42315150k+Text Domain Mismatch
#4134Cookie Notify421554400Input is not validated
#4135CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance)4233493k+Output is not escaped
#4136Cronjob Scheduler4220361k+Input is not sanitized
#4137Custom Admin Page by BestWebSoft – Configurable WordPress Dashboard Pages Plugin42472181400Text Domain Mismatch
#4138Custom Fields for Gutenberg4224241k+Output is not escaped
#4139Custom Login423611610k+Non-prefixed global variable
#4140Custom Taxonomy Order42205650k+Output is not escaped
#4141Simpliest Social Share423722600Unsafe printing function
#4142CWW connector Lite – Connect Contact Form 7 & ActiveCampaign423921400Output is not escaped
#4143Dashboard Notes422734600Missing Arg Domain
#4144Dashboard Sticky Notes4220172k+Missing nonce verification
#4145Delete Expired Transients4249655k+Direct Query
#4146Disable Comments424419100k+Unsafe printing function
#4147Disable Recaptcha – CF7427352k+Output is not escaped
#4148Disable User Login4225195k+Unsafe printing function
#4149Display Categories Widget429043k+Output is not escaped
#4150Simple HTML Sitemap4242201k+Text Domain Mismatch