WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4501 | Restore PayPal Standard for WooCommerce | 47 | 19 | 53 | 3k+ | Nonce verification recommended | ||
| #4502 | Security Ninja For MainWP | 47 | 246 | 71 | 500 | Text Domain Mismatch | ||
| #4503 | Showeblogin Social Plugin | 47 | 59 | 5 | 400 | Output is not escaped | ||
| #4504 | Simple Popup Plugin | 47 | 53 | 5 | 1k+ | Output is not escaped | ||
| #4505 | Social Media Widget | 47 | 51 | 3 | 400 | Output is not escaped | ||
| #4506 | SportsPress for Baseball | 47 | 113 | 34 | 900 | Text Domain Mismatch | ||
| #4507 | Store Locator for WordPressπ | 47 | 51 | 21 | 1k+ | Missing Arg Domain | ||
| #4508 | Tabby Checkout | 47 | 33 | 46 | 4k+ | Non-prefixed class | ||
| #4509 | Taxonomy Switcher | 47 | 23 | 36 | 2k+ | Nonce verification recommended | ||
| #4510 | The Tribal Plugin | 47 | 43 | 62 | 800 | Non-prefixed function | ||
| #4511 | Userback | 47 | 13 | 20 | 2k+ | Output is not escaped | ||
| #4512 | Simple Client Dashboard | 47 | 38 | 36 | 2k+ | Missing direct file access protection | ||
| #4513 | Website Article Monetization By MageNet | 47 | 17 | 24 | 10k+ | Output is not escaped | ||
| #4514 | Better Usability for WooCommerce | 47 | 27 | 87 | 800 | Non-prefixed hook name | ||
| #4515 | FedaPay Gateway for WooCommerce | 47 | 24 | 11 | 700 | Output is not escaped | ||
| #4516 | iControlWP | 47 | 45 | 59 | 1k+ | Missing direct file access protection | ||
| #4517 | WP Custom Author URL | 47 | 16 | 38 | 5k+ | Non-prefixed global variable | ||
| #4518 | 3CX Free Live Chat, Calls & Messaging | 47 | 24 | 16 | 100k+ | Output is not escaped | ||
| #4519 | WP PHP Console | 47 | 18 | 24 | 500 | Output is not escaped | ||
| #4520 | WP Prefix Changer | 47 | 27 | 16 | 900 | Missing Arg Domain | ||
| #4521 | QuadLayers TikTok Feed | 47 | 78 | 52 | 7k+ | Text Domain Mismatch | ||
| #4522 | Post Status Notifications | 47 | 98 | 41 | 1k+ | Text Domain Mismatch | ||
| #4523 | XML Sitemap & Google News | 47 | 270 | 224 | 100k+ | Non-prefixed global variable | ||
| #4524 | Add-on WooCommerce β MailPoet 3 | 48 | 30 | 21 | 600 | Output is not escaped | ||
| #4525 | Add Polylang support for Customizer | 48 | 18 | 20 | 2k+ | Nonce verification recommended | ||
| #4526 | Advanced Custom Fields β Location Field add-on | 48 | 51 | 6 | 900 | Output is not escaped | ||
| #4527 | AffiliateWP β Store Credit | 48 | 47 | 21 | 400 | Output is not escaped | ||
| #4528 | Ansar Import β One Click Starter Sites β for Elementor & Themes | 48 | 27 | 116 | 10k+ | Non-prefixed global variable | ||
| #4529 | Better Block Patterns | 48 | 77 | 11 | 1k+ | Missing direct file access protection | ||
| #4530 | BP Simple Private | 48 | 19 | 12 | 500 | Output is not escaped | ||
| #4531 | bxSlider integration for WordPress | 48 | 126 | 21 | 500 | Text Domain Mismatch | ||
| #4532 | Contact Form 7 BWP reCAPTCHA Extension | 48 | 92 | 10 | 400 | Non Singular String Literal Domain | ||
| #4533 | Convertful β Your Ultimate On-Site Conversion Tool | 48 | 15 | 34 | 3k+ | wp function not compatible with requires wp | ||
| #4534 | CookieFox β Cookie Notice | 48 | 14 | 19 | 400 | Output is not escaped | ||
| #4535 | CryptAPI Payment Gateway for WooCommerce | 48 | 187 | 23 | 400 | Text Domain Mismatch | ||
| #4536 | Current Menu Item for Custom Post Types | 48 | 18 | 30 | 2k+ | Non-prefixed global variable | ||
| #4537 | Custom Background Extended | 48 | 13 | 23 | 800 | Input is not validated | ||
| #4538 | Custom Header Extended | 48 | 19 | 11 | 1k+ | Unsafe printing function | ||
| #4539 | Better Badge β Custom Product Badges for WooCommerce | 48 | 21 | 47 | 500 | Non Singular String Literal Domain | ||
| #4540 | Custom Related Products for WooCommerce | 48 | 25 | 10 | 5k+ | Text Domain Mismatch | ||
| #4541 | Disable Author Pages | 48 | 23 | 5 | 6k+ | Unsafe printing function | ||
| #4542 | Easy Share Solution For WordPress | 48 | 15 | 33 | 1k+ | Output is not escaped | ||
| #4543 | Filter Page by Template | 48 | 17 | 20 | 2k+ | Nonce verification recommended | ||
| #4544 | Fixed And Sticky Header | 48 | 31 | 7 | 1k+ | Output is not escaped | ||
| #4545 | Maps Plugin using Google Maps for WordPress β WP Google Map | 48 | 289 | 38 | 10k+ | wp function not compatible with requires wp | ||
| #4546 | Tag Pilot FREE β Google Tag Manager Integration for WooCommerce | 48 | 35 | 19 | 1k+ | Output is not escaped | ||
| #4547 | Hotline Phone Ring | 48 | 16 | 15 | 8k+ | Output is not escaped | ||
| #4548 | JW Player for WordPress | 48 | 289 | 80 | 1k+ | Text Domain Mismatch | ||
| #4549 | Add LinkedIn Insight Tag for LinkedIn Ads | 48 | 130 | 23 | 5k+ | Non Singular String Literal Domain | ||
| #4550 | Mailster Live | 48 | 22 | 37 | 600 | Missing Translators Comment |