WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4151 | Easy Demo Import for Omega Themes | 42 | 33 | 41 | 400 | Output is not escaped | ||
| #4152 | Easy Video Player | 42 | 20 | 20 | 20k+ | Output is not escaped | ||
| #4153 | Embedly | 42 | 17 | 38 | 2k+ | Output is not escaped | ||
| #4154 | Enable Classic Editor & Widgets | 42 | 106 | 6 | 2k+ | Non Singular String Literal Domain | ||
| #4155 | Etsy Shop | 42 | 58 | 21 | 3k+ | Unsafe printing function | ||
| #4156 | Exclude Pages | 42 | 31 | 14 | 20k+ | Non Singular String Literal Domain | ||
| #4157 | Exit Popup | 42 | 51 | 5 | 1k+ | Output is not escaped | ||
| #4158 | FCM Push Notification from WP | 42 | 43 | 16 | 500 | Non Singular String Literal Domain | ||
| #4159 | File Media Renamer | 42 | 16 | 42 | 2k+ | Input is not sanitized | ||
| #4160 | First payment date for WooCommerce Subscriptions | 42 | 42 | 19 | 400 | Output is not escaped | ||
| #4161 | Flamix: Bitrix24 and Contact Form 7 integrations | 42 | 79 | 4 | 1k+ | Output is not escaped | ||
| #4162 | Flexible Editor Panel for Elementor | 42 | 154 | 42 | 20k+ | Text Domain Mismatch | ||
| #4163 | Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution | 42 | 111 | 17 | 20k+ | Exception output is not escaped | ||
| #4164 | FooTable | 42 | 86 | 7 | 1k+ | Output is not escaped | ||
| #4165 | Lock Down Admin | 42 | 30 | 20 | 3k+ | Unsafe printing function | ||
| #4166 | Fusion Page Builder : Extension – Gallery | 42 | 29 | 30 | 600 | Output is not escaped | ||
| #4167 | GA Google Analytics – Connect Google Analytics to WordPress | 42 | 46 | 30 | 400k+ | Output is not escaped | ||
| #4168 | Gelato Integration for WooCommerce | 42 | 36 | 32 | 5k+ | Output is not escaped | ||
| #4169 | Goolytics – Simple Google Analytics | 42 | 37 | 5 | 4k+ | Unsafe printing function | ||
| #4170 | hCaptcha for WP | 42 | 115 | 18 | 70k+ | Exception output is not escaped | ||
| #4171 | Hide Cart Functions | 42 | 12 | 50 | 3k+ | Nonce verification recommended | ||
| #4172 | Hide Featured Image | 42 | 26 | 12 | 10k+ | Unsafe printing function | ||
| #4173 | HTML Editor Syntax Highlighter | 42 | 30 | 21 | 50k+ | Output is not escaped | ||
| #4174 | Image Uploader for Welcart | 42 | 27 | 24 | 3k+ | Output is not escaped | ||
| #4175 | iOS images fixer | 42 | 22 | 42 | 6k+ | Nonce verification recommended | ||
| #4176 | iyzico for WooCommerce | 42 | 34 | 54 | 10k+ | Unsafe printing function | ||
| #4177 | Lazy Social Comments | 42 | 73 | 10 | 1k+ | Unsafe printing function | ||
| #4178 | LeadSnap | 42 | 14 | 84 | 1k+ | Input is not validated | ||
| #4179 | LH Page Links To | 42 | 25 | 38 | 500 | Output is not escaped | ||
| #4180 | Image and Video Lightbox, Image PopUp | 42 | 53 | 15 | 1k+ | Output is not escaped | ||
| #4181 | Lightweight Social Icons | 42 | 59 | 1 | 30k+ | Output is not escaped | ||
| #4182 | LIQUID BLOCKS – Slider, Carousel, Accordion | 42 | 50 | 31 | 4k+ | Unsafe printing function | ||
| #4183 | List Custom Taxonomy Widget | 42 | 52 | 5 | 9k+ | Output is not escaped | ||
| #4184 | Login No Captcha reCAPTCHA | 42 | 45 | 24 | 60k+ | Unsafe printing function | ||
| #4185 | Mailster Cool Captcha | 42 | 65 | 28 | 400 | Text Domain Mismatch | ||
| #4186 | Manage User Columns | 42 | 15 | 27 | 1k+ | Request data is not unslashed | ||
| #4187 | Mass Delete Unused Tags | 42 | 21 | 9 | 800 | Output is not escaped | ||
| #4188 | Medical Addon for Elementor | 42 | 200 | 8 | 1k+ | Text Domain Mismatch | ||
| #4189 | Message Popup For Contact Form 7 | 42 | 30 | 81 | 1k+ | Missing nonce verification | ||
| #4190 | Mobile CSS | 42 | 59 | 7 | 500 | Output is not escaped | ||
| #4191 | My Upload Images | 42 | 74 | 48 | 400 | Unsafe printing function | ||
| #4192 | Nav Menu Collapse | 42 | 17 | 39 | 3k+ | Missing nonce verification | ||
| #4193 | NS Remove Related Products for WooCommerce | 42 | 95 | 43 | 3k+ | Output is not escaped | ||
| #4194 | OG Tags | 42 | 131 | 34 | 2k+ | Non Singular String Literal Domain | ||
| #4195 | OnPay.io for WooCommerce | 42 | 238 | 37 | 1k+ | Text Domain Mismatch | ||
| #4196 | PageMenu | 42 | 16 | 29 | 1k+ | Missing nonce verification | ||
| #4197 | PAYDUNYA WOOCOMMERCE PAR | 42 | 54 | 32 | 600 | Text Domain Mismatch | ||
| #4198 | PDF Thumbnail Generator | 42 | 26 | 16 | 2k+ | Output is not escaped | ||
| #4199 | PE Easy Slider | 42 | 190 | 10 | 800 | Output is not escaped | ||
| #4200 | Photo Galleria | 42 | 78 | 5 | 800 | Missing Arg Domain |