WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4251 | List Products By Category Widget for WooCommerce | 42 | 84 | 5 | 1k+ | Output is not escaped | ||
| #4252 | TT Extra Fee Option for WooCommerce | 42 | 37 | 19 | 1k+ | Output is not escaped | ||
| #4253 | Dynamic Remarketing for Google Ads and WooCommerce | 42 | 32 | 15 | 2k+ | Output is not escaped | ||
| #4254 | WP Author Security | 42 | 40 | 13 | 500 | Output is not escaped | ||
| #4255 | WP Before After Image Slider – Interactive Image and Video Comparison Plugin for WordPress | 42 | 112 | 17 | 1k+ | Text Domain Mismatch | ||
| #4256 | WP Child Theme Generator | 42 | 35 | 66 | 20k+ | Request data is not unslashed | ||
| #4257 | WP Content Copy Protection & No Right Click | 42 | 126 | 135 | 100k+ | Unsafe printing function | ||
| #4258 | WP Cron Cleaner | 42 | 51 | 38 | 500 | Unsafe printing function | ||
| #4259 | WP Fingerprint | 42 | 34 | 47 | 9k+ | Direct Query | ||
| #4260 | WP Post Redirect | 42 | 29 | 17 | 3k+ | Unsafe printing function | ||
| #4261 | WP QuickLaTeX | 42 | 41 | 60 | 4k+ | Non-prefixed global variable | ||
| #4262 | WP Responsive Table | 42 | 42 | 10 | 6k+ | Output is not escaped | ||
| #4263 | Advanced All in One Admin Search by WP Spotlight | 42 | 25 | 25 | 900 | Missing Version | ||
| #4264 | WP Widget Clipboard – Duplicate widgets intuitively | 42 | 51 | 19 | 800 | Output is not escaped | ||
| #4265 | WPB Custom Tab Manager for WooCommerce – Add, Edit & Reorder Tabs | 42 | 95 | 32 | 500 | Output is not escaped | ||
| #4266 | WPFomo | 42 | 45 | 9 | 600 | Output is not escaped | ||
| #4267 | WPTerm | 42 | 61 | 89 | 3k+ | Output is not escaped | ||
| #4268 | Yandex.Metrika | 42 | 15 | 20 | 900 | Unsafe printing function | ||
| #4269 | Zotpress | 42 | 10 | 403 | 2k+ | Non-prefixed global variable | ||
| #4270 | AddFunc Head & Footer Code | 43 | 28 | 18 | 20k+ | Output is not escaped | ||
| #4271 | Admin Menu Tree Page View | 43 | 17 | 69 | 10k+ | Nonce verification recommended | ||
| #4272 | Advanced FAQ Manager | 43 | 8 | 59 | 2k+ | Input is not sanitized | ||
| #4273 | Advanced TinyMCE Configuration | 43 | 99 | 8 | 10k+ | Text Domain Mismatch | ||
| #4274 | AdWords Conversion Tracking Code | 43 | 26 | 25 | 1k+ | Non Singular String Literal Domain | ||
| #4275 | Animation Builder – An interface for adding scroll-triggered animations | 43 | 7 | 67 | 800 | Missing Version | ||
| #4276 | Anonymous Restricted Content | 43 | 22 | 24 | 1k+ | Unsafe printing function | ||
| #4277 | Anti-spam Reloaded | 43 | 19 | 19 | 2k+ | Output is not escaped | ||
| #4278 | Auto Alt Text | 43 | 52 | 13 | 4k+ | Exception output is not escaped | ||
| #4279 | Automatic Responsive Tables | 43 | 67 | 15 | 1k+ | Output is not escaped | ||
| #4280 | BMI Adult & Kid Calculator | 43 | 33 | 138 | 700 | Request data is not unslashed | ||
| #4281 | Category Editor | 43 | 54 | 18 | 8k+ | Unsafe printing function | ||
| #4282 | Charla Live Chat | 43 | 33 | 13 | 500 | Output is not escaped | ||
| #4283 | Click to Call or Chat Buttons | 43 | 47 | 6 | 1k+ | Output is not escaped | ||
| #4284 | Comment Reply Email Notification | 43 | 44 | 19 | 3k+ | Output is not escaped | ||
| #4285 | Simple Mortgage Calculator | 43 | 67 | 3 | 1k+ | Text Domain Mismatch | ||
| #4286 | Custom Menu | 43 | 83 | 11 | 400 | wp function not compatible with requires wp | ||
| #4287 | Customize Login Image | 43 | 32 | 9 | 3k+ | Unsafe printing function | ||
| #4288 | Customize Snapshots | 43 | 9 | 42 | 500 | Nonce verification recommended | ||
| #4289 | Database Addon For WPForms ( wpforms entries ) – WPFormsDB | 43 | 17 | 53 | 20k+ | Nonce verification recommended | ||
| #4290 | Directorist – WPML Integration | 43 | 10 | 134 | 400 | Non-prefixed hook name | ||
| #4291 | Disable Gutenberg | 43 | 23 | 47 | 500k+ | Nonce verification recommended | ||
| #4292 | Disable WP Notification | 43 | 74 | 25 | 10k+ | Output is not escaped | ||
| #4293 | Easy PayPal Shopping Cart | 43 | 19 | 40 | 1k+ | Input is not sanitized | ||
| #4294 | Email Notification on Login | 43 | 33 | 7 | 1k+ | Unsafe printing function | ||
| #4295 | F4 Total Stock Value for WooCommerce | 43 | 27 | 12 | 1k+ | Output is not escaped | ||
| #4296 | Floating Awesome Button (Sticky Button, Popup, Toast) & 200+ Website Custom Interactive Element | 43 | 66 | 109 | 800 | Missing direct file access protection | ||
| #4297 | GD bbPress Tools | 43 | 15 | 61 | 1k+ | Input is not sanitized | ||
| #4298 | Good Old Twitter Feed Widget | 43 | 110 | 10 | 400 | Text Domain Mismatch | ||
| #4299 | Per User Prompt for Google Authenticator | 43 | 8 | 52 | 400 | Nonce verification recommended | ||
| #4300 | Event Tracking for Gravity Forms | 43 | 34 | 25 | 20k+ | rand mt rand |