WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4351BBQ Firewall – Fast & Powerful Firewall Security441717100k+Output is not escaped
#4352Buttonizer – Live Chat, AI Chatbot, Call, Chat, Contact Button44247150k+Non-prefixed constant
#4353Button visually impaired44145510k+Text Domain Mismatch
#4354Despacho vía Starken Pro para WooCommerce4417560400Text Domain Mismatch
#4355Code Widget4460334k+Text Domain Mismatch
#4356Coming soon and Maintenance mode4414439k+Request data is not unslashed
#4357Comment Image4419231k+Output is not escaped
#4358Cookie Bar4429310k+Unsafe printing function
#4359Currency Converter Widget443763k+Unsafe printing function
#4360Custom Dashboard Help Widget447312800Output is not escaped
#4361Cyberpret – Calculettes444117500Output is not escaped
#4362Debug Bar Console442391k+Missing Arg Domain
#4363Easy!Appointments44476600Unsafe printing function
#4364ELEX WooCommerce Role Based Pricing442131962k+Non-prefixed global variable
#4365Github Embed4418351k+Non-prefixed global variable
#4366I Order Terms4440241k+Output is not escaped
#4367Image Widget444853k+Output is not escaped
#4368Smart JavaScript Auto Loader44832400Output is not escaped
#4369KKiapay WooCommerce Plugin442025400Output is not escaped
#4370LearnPress – BuddyPress Integration4427251k+Output is not escaped
#4371Roles & Capabilities4424791k+Nonce verification recommended
#4372Save and Close44447400Missing nonce verification
#4373LIQUID SPEECH BALLOON44343010k+Output is not escaped
#4374Minimum Order Amount for Woocommerce4450162k+Text Domain Mismatch
#4375Multilevel Navigation Menu44801500Output is not escaped
#4376Notix – Web Push Notifications442241600Non-prefixed global variable
#4377Ocean Modal Window44264410k+Output is not escaped
#4378QR Code Woocommerce4437361k+Output is not escaped
#4379Razorpay Subscriptions for WooCommerce442835600Exception output is not escaped
#4380senangpay4438461k+Text Domain Mismatch
#4381Setmore Appointments4445134k+Output is not escaped
#4382Shippit for WooCommerce4412726900Text Domain Mismatch
#4383Simple Full Screen Background Image44231310k+Output is not escaped
#4384Simple Image Widget44261910k+Unsafe printing function
#4385Simple Matomo Tracking Code442361k+Unsafe printing function
#4386SKT Addons for Elementor446113831k+Text Domain Mismatch
#4387Smart Archive Page Remove448257k+Output is not escaped
#4388Smart Attachment Page Remove44823900Output is not escaped
#4389SmartVideo – Video Player and CDN44295441k+Text Domain Mismatch
#4390TP Product Description in Loop for WooCommerce44487500Setting is missing a sanitization callback
#4391Trusty Whistleblowing Solution4423416400Text Domain Mismatch
#4392Unit Price for WooCommerce44112631k+Output is not escaped
#4393User Posts Limit4482222k+Output is not escaped
#4394WCFM – WCFM Marketplace integrate Elementor4482181k+Output is not escaped
#4395Website Open/Closed Toggle441433500Output is not escaped
#4396WP Club Manager – WordPress Sports Club Plugin44171682600Non-prefixed global variable
#4397Wpazure Kit44136140800Missing direct file access protection
#4398ReCaptcha v2 for Contact Form 7441230200k+Nonce verification recommended
#4399WPKoi Templates for Elementor44937255k+Text Domain Mismatch
#4400Gateway zibal for Woocommerce4470246k+Text Domain Mismatch