WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4201Posts Like Dislike42157395k+Non Singular String Literal Domain
#4202Prepare New Version4253246k+Output is not escaped
#4203Prismatic4261292k+Output is not escaped
#4204PuSHPress42116520k+Missing nonce verification
#4205reCAPTCHA for WooCommerce42803140k+Output is not escaped
#4206Recent Posts Widget Plus42683500Output is not escaped
#4207Rename wp-admin login4223388k+Output is not escaped
#4208Republish Old Posts4283242k+Output is not escaped
#4209WP Required Taxonomies – Categories and Tags Mandatory4243361k+Non-prefixed global variable
#4210Responsive Mortgage Calculator4238287k+Output is not escaped
#4211Reusable Blocks Extended42381520k+Output is not escaped
#4212RSS Just Better421362400Output is not escaped
#4213SALERT – Fake Sales Notification WooCommerce4241678k+Non-prefixed global variable
#4214Sendcloud Shipping4278565k+Output is not escaped
#4215SEO Backlink Monitor4286105700Output is not escaped
#4216Set All First Images As Featured424413700Text Domain Mismatch
#4217Simple Download Counter4258462k+Output is not escaped
#4218Simple Googlebot Visit4232671k+Non Singular String Literal Domain
#4219Simple Meta Tags422813700Output is not escaped
#4220Simple Sticky Footer425716600Missing Arg Domain
#4221SMTP Mailer42514970k+Unsafe printing function
#4222Social Icon Widget42906500Output is not escaped
#4223Speed Contact Bar4253204k+Output is not escaped
#4224Squelch Tabs and Accordions Shortcodes4257511k+Unsafe printing function
#4225Staffer428842600Output is not escaped
#4226Starter Sites4262251k+Output is not escaped
#4227Sticky Add To Cart Bar For WooCommerce424654600Output is not escaped
#4228Sticky Floating Button (Book Now, Contact, Call To Action…)429526900Missing Arg Domain
#4229Combine Social Photos | Still BE4233281700Non-prefixed global variable
#4230SuperSaaS – online appointment scheduling4279101k+Text Domain Mismatch
#4231ThemeZee Widget Bundle42211585k+Output is not escaped
#4232Top Bar42751110k+Output is not escaped
#4233Transients Manager42455020k+Output is not escaped
#4234Two Factor421870100k+Nonce verification recommended
#4235Ultimate Category Excluder42222650k+Missing nonce verification
#4236Ultimate Coming Soon Page, Maintenance Mode & Under Construction – Gutenberg Block Builder & Landing Page4215899k+Non-prefixed global variable
#4237UniConsent Cookie Consent CMP – Consent Manager42148181k+Unsafe printing function
#4238UPI QR Code Payment Gateway42179281k+Text Domain Mismatch
#4239Usermaven4236771k+Request data is not unslashed
#4240Vast Demo Import42180113600Text Domain Mismatch
#4241Vertical marquee post title4210968400Output is not escaped
#4242WC Price History4218214k+Database parameter is not escaped
#4243WC Speed Repair4234741k+Non-prefixed global variable
#4244Weather Widget Pro4229451k+Output is not escaped
#4245WebPlanex: GST Invoice India426363400Text Domain Mismatch
#4246Widget Contact Now42696500Output is not escaped
#4247Widget Visibility Time Scheduler4270341k+Output is not escaped
#4248Auto Coupons for WooCommerce4282684k+Output is not escaped
#4249WPC Order Notes for WooCommerce422441900Output is not escaped
#4250List Products By Category Widget for WooCommerce428451k+Output is not escaped