WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4351 | BBQ Firewall – Fast & Powerful Firewall Security | 44 | 17 | 17 | 100k+ | Output is not escaped | ||
| #4352 | Buttonizer – Live Chat, AI Chatbot, Call, Chat, Contact Button | 44 | 24 | 71 | 50k+ | Non-prefixed constant | ||
| #4353 | Button visually impaired | 44 | 145 | 5 | 10k+ | Text Domain Mismatch | ||
| #4354 | Despacho vía Starken Pro para WooCommerce | 44 | 175 | 60 | 400 | Text Domain Mismatch | ||
| #4355 | Code Widget | 44 | 60 | 33 | 4k+ | Text Domain Mismatch | ||
| #4356 | Coming soon and Maintenance mode | 44 | 14 | 43 | 9k+ | Request data is not unslashed | ||
| #4357 | Comment Image | 44 | 19 | 23 | 1k+ | Output is not escaped | ||
| #4358 | Cookie Bar | 44 | 29 | 3 | 10k+ | Unsafe printing function | ||
| #4359 | Currency Converter Widget | 44 | 37 | 6 | 3k+ | Unsafe printing function | ||
| #4360 | Custom Dashboard Help Widget | 44 | 73 | 12 | 800 | Output is not escaped | ||
| #4361 | Cyberpret – Calculettes | 44 | 41 | 17 | 500 | Output is not escaped | ||
| #4362 | Debug Bar Console | 44 | 23 | 9 | 1k+ | Missing Arg Domain | ||
| #4363 | Easy!Appointments | 44 | 47 | 6 | 600 | Unsafe printing function | ||
| #4364 | ELEX WooCommerce Role Based Pricing | 44 | 213 | 196 | 2k+ | Non-prefixed global variable | ||
| #4365 | Github Embed | 44 | 18 | 35 | 1k+ | Non-prefixed global variable | ||
| #4366 | I Order Terms | 44 | 40 | 24 | 1k+ | Output is not escaped | ||
| #4367 | Image Widget | 44 | 48 | 5 | 3k+ | Output is not escaped | ||
| #4368 | Smart JavaScript Auto Loader | 44 | 83 | 2 | 400 | Output is not escaped | ||
| #4369 | KKiapay WooCommerce Plugin | 44 | 20 | 25 | 400 | Output is not escaped | ||
| #4370 | LearnPress – BuddyPress Integration | 44 | 27 | 25 | 1k+ | Output is not escaped | ||
| #4371 | Roles & Capabilities | 44 | 24 | 79 | 1k+ | Nonce verification recommended | ||
| #4372 | Save and Close | 44 | 4 | 47 | 400 | Missing nonce verification | ||
| #4373 | LIQUID SPEECH BALLOON | 44 | 34 | 30 | 10k+ | Output is not escaped | ||
| #4374 | Minimum Order Amount for Woocommerce | 44 | 50 | 16 | 2k+ | Text Domain Mismatch | ||
| #4375 | Multilevel Navigation Menu | 44 | 80 | 1 | 500 | Output is not escaped | ||
| #4376 | Notix – Web Push Notifications | 44 | 22 | 41 | 600 | Non-prefixed global variable | ||
| #4377 | Ocean Modal Window | 44 | 26 | 44 | 10k+ | Output is not escaped | ||
| #4378 | QR Code Woocommerce | 44 | 37 | 36 | 1k+ | Output is not escaped | ||
| #4379 | Razorpay Subscriptions for WooCommerce | 44 | 28 | 35 | 600 | Exception output is not escaped | ||
| #4380 | senangpay | 44 | 38 | 46 | 1k+ | Text Domain Mismatch | ||
| #4381 | Setmore Appointments | 44 | 45 | 13 | 4k+ | Output is not escaped | ||
| #4382 | Shippit for WooCommerce | 44 | 127 | 26 | 900 | Text Domain Mismatch | ||
| #4383 | Simple Full Screen Background Image | 44 | 23 | 13 | 10k+ | Output is not escaped | ||
| #4384 | Simple Image Widget | 44 | 26 | 19 | 10k+ | Unsafe printing function | ||
| #4385 | Simple Matomo Tracking Code | 44 | 23 | 6 | 1k+ | Unsafe printing function | ||
| #4386 | SKT Addons for Elementor | 44 | 611 | 383 | 1k+ | Text Domain Mismatch | ||
| #4387 | Smart Archive Page Remove | 44 | 82 | 5 | 7k+ | Output is not escaped | ||
| #4388 | Smart Attachment Page Remove | 44 | 82 | 3 | 900 | Output is not escaped | ||
| #4389 | SmartVideo – Video Player and CDN | 44 | 295 | 44 | 1k+ | Text Domain Mismatch | ||
| #4390 | TP Product Description in Loop for WooCommerce | 44 | 48 | 7 | 500 | Setting is missing a sanitization callback | ||
| #4391 | Trusty Whistleblowing Solution | 44 | 234 | 16 | 400 | Text Domain Mismatch | ||
| #4392 | Unit Price for WooCommerce | 44 | 112 | 63 | 1k+ | Output is not escaped | ||
| #4393 | User Posts Limit | 44 | 82 | 22 | 2k+ | Output is not escaped | ||
| #4394 | WCFM – WCFM Marketplace integrate Elementor | 44 | 82 | 18 | 1k+ | Output is not escaped | ||
| #4395 | Website Open/Closed Toggle | 44 | 14 | 33 | 500 | Output is not escaped | ||
| #4396 | WP Club Manager – WordPress Sports Club Plugin | 44 | 171 | 682 | 600 | Non-prefixed global variable | ||
| #4397 | Wpazure Kit | 44 | 136 | 140 | 800 | Missing direct file access protection | ||
| #4398 | ReCaptcha v2 for Contact Form 7 | 44 | 12 | 30 | 200k+ | Nonce verification recommended | ||
| #4399 | WPKoi Templates for Elementor | 44 | 937 | 25 | 5k+ | Text Domain Mismatch | ||
| #4400 | Gateway zibal for Woocommerce | 44 | 70 | 24 | 6k+ | Text Domain Mismatch |