WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4451 | Pinterest Pinboard Widget | 46 | 54 | 4 | 500 | Output is not escaped | ||
| #4452 | Podcast Player – Your Podcasting Companion | 46 | 14 | 133 | 10k+ | Non-prefixed global variable | ||
| #4453 | Responsive Cookie Consent | 46 | 50 | 4 | 2k+ | Unsafe printing function | ||
| #4454 | Simple Sitemap – Create a Responsive HTML Sitemap | 46 | 33 | 48 | 60k+ | Non-prefixed hook name | ||
| #4455 | Link in Bio Creator – Social | 46 | 52 | 36 | 2k+ | Non Singular String Literal Domain | ||
| #4456 | Stars Rating | 46 | 13 | 34 | 1k+ | Missing nonce verification | ||
| #4457 | StockPack – Stock photos from Unsplash, Adobe Stock and more | 46 | 35 | 51 | 6k+ | Nonce verification recommended | ||
| #4458 | TotalSurvey for Survey, Quiz and Form | 46 | 290 | 33 | 600 | Missing direct file access protection | ||
| #4459 | Ultimate FAQ Solution | 46 | 285 | 97 | 600 | Text Domain Mismatch | ||
| #4460 | URL Params | 46 | 36 | 17 | 8k+ | Text Domain Mismatch | ||
| #4461 | SX User Name Security | 46 | 42 | 9 | 900 | Output is not escaped | ||
| #4462 | WEN Logo Slider | 46 | 6 | 46 | 1k+ | Non-prefixed global variable | ||
| #4463 | Custom Price Labels for WooCommerce | 46 | 17 | 22 | 1k+ | Output is not escaped | ||
| #4464 | WP Lightbox 2 | 46 | 52 | 18 | 30k+ | Text Domain Mismatch | ||
| #4465 | Widget Disable | 46 | 19 | 19 | 10k+ | Output is not escaped | ||
| #4466 | WP All Import – Import SEO Settings for Yoast SEO | 46 | 19 | 26 | 20k+ | Nonce verification recommended | ||
| #4467 | Zoho Mail for WordPress | 46 | 29 | 48 | 20k+ | Request data is not unslashed | ||
| #4468 | Advanced Custom Fields: Number Slider | 47 | 99 | 4 | 400 | Output is not escaped | ||
| #4469 | AffiliateWP Checkout Referrals | 47 | 48 | 26 | 600 | Output is not escaped | ||
| #4470 | Verified Member for BuddyPress | 47 | 20 | 38 | 3k+ | Nonce verification recommended | ||
| #4471 | 404 Image Redirection (Replace Broken Images) | 47 | 118 | 85 | 500 | Text Domain Mismatch | ||
| #4472 | Cashfree for WooCommerce | 47 | 21 | 21 | 8k+ | Nonce verification recommended | ||
| #4473 | Clear Cache for Me | 47 | 58 | 8 | 40k+ | Text Domain Mismatch | ||
| #4474 | Custom Background Changer | 47 | 44 | 14 | 1k+ | Non Singular String Literal Domain | ||
| #4475 | Customizer Export/Import | 47 | 14 | 15 | 100k+ | Unsafe printing function | ||
| #4476 | Do Shortcodes for Rank Math SEO | 47 | 117 | 3 | 1k+ | Output is not escaped | ||
| #4477 | Show IDs by Echo | 47 | 21 | 13 | 2k+ | Output is not escaped | ||
| #4478 | Extended CRM for Users Insights | 47 | 11 | 23 | 400 | Missing nonce verification | ||
| #4479 | Flying Pages: Preload Pages for Faster Navigation & Improved User Experience | 47 | 21 | 21 | 20k+ | Missing direct file access protection | ||
| #4480 | FSM Custom Featured Image Caption | 47 | 26 | 27 | 5k+ | Output is not escaped | ||
| #4481 | G Meta Keywords | 47 | 31 | 8 | 10k+ | Unsafe printing function | ||
| #4482 | Gateway AqayePardakht for Woocommerce | 47 | 72 | 23 | 4k+ | Text Domain Mismatch | ||
| #4483 | Granular Controls For Elementor | 47 | 56 | 4 | 10k+ | Output is not escaped | ||
| #4484 | Groups 404 Redirect | 47 | 35 | 33 | 1k+ | Non Singular String Literal Domain | ||
| #4485 | Import Users from CSV | 47 | 33 | 12 | 10k+ | Unsafe printing function | ||
| #4486 | KCSG Kartra Pages | 47 | 30 | 16 | 500 | Heredoc Output Not Escaped | ||
| #4487 | Log Emails | 47 | 19 | 29 | 6k+ | Non-prefixed global variable | ||
| #4488 | Product Categories/Tags Bottom Description for WooCommerce | 47 | 60 | 23 | 3k+ | Text Domain Mismatch | ||
| #4489 | Restore PayPal Standard for WooCommerce | 47 | 19 | 53 | 3k+ | Nonce verification recommended | ||
| #4490 | Security Ninja For MainWP | 47 | 246 | 71 | 500 | Text Domain Mismatch | ||
| #4491 | Showeblogin Social Plugin | 47 | 59 | 5 | 400 | Output is not escaped | ||
| #4492 | Simple Popup Plugin | 47 | 53 | 5 | 1k+ | Output is not escaped | ||
| #4493 | Social Media Widget | 47 | 51 | 3 | 400 | Output is not escaped | ||
| #4494 | SportsPress for Baseball | 47 | 113 | 34 | 900 | Text Domain Mismatch | ||
| #4495 | Store Locator for WordPress📍 | 47 | 51 | 21 | 1k+ | Missing Arg Domain | ||
| #4496 | Tabby Checkout | 47 | 33 | 46 | 4k+ | Non-prefixed class | ||
| #4497 | Taxonomy Switcher | 47 | 23 | 36 | 2k+ | Nonce verification recommended | ||
| #4498 | The Tribal Plugin | 47 | 43 | 62 | 800 | Non-prefixed function | ||
| #4499 | Userback | 47 | 13 | 20 | 2k+ | Output is not escaped | ||
| #4500 | Simple Client Dashboard | 47 | 38 | 36 | 2k+ | Missing direct file access protection |