WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4551 | Easy Social Box / Page Plugin | 58 | 53 | 4 | 4k+ | Output is not escaped | ||
| #4552 | Easy Sidebar Menu Widget | 58 | 32 | 7 | 2k+ | Output is not escaped | ||
| #4553 | PDF invoice for WP ERP | 58 | 96 | 134 | 2k+ | Non-prefixed global variable | ||
| #4554 | Flexible FAQ | 58 | 27 | 26 | 1k+ | Text Domain Mismatch | ||
| #4555 | flowpaper | 58 | 14 | 31 | 10k+ | Non-prefixed function | ||
| #4556 | Go Redirects URL Forwarder | 58 | 17 | 14 | 1k+ | Output is not escaped | ||
| #4557 | Gutenverse Form – Contact Form Builder, Block Form & Booking Form | 58 | 17 | 48 | 10k+ | Nonce verification recommended | ||
| #4558 | Houzez WooCommerce Addon | 58 | 22 | 21 | 4k+ | Missing Translators Comment | ||
| #4559 | List Last Changes | 58 | 50 | 15 | 1k+ | Output is not escaped | ||
| #4560 | Menu Swapper | 58 | 20 | 14 | 3k+ | Output is not escaped | ||
| #4561 | Nginx Cache | 58 | 12 | 8 | 10k+ | Unsafe printing function | ||
| #4562 | WP Online Active Users | 58 | 26 | 45 | 2k+ | Non-prefixed global variable | ||
| #4563 | PageLoader Lite – Loading Screen | 58 | 29 | 17 | 700 | Output is not escaped | ||
| #4564 | Quickcreator – AI Blog Writer | 58 | 14 | 18 | 500 | Exception output is not escaped | ||
| #4565 | Random Post for Widget | 58 | 27 | 5 | 2k+ | Output is not escaped | ||
| #4566 | Remove CPT base | 58 | 15 | 16 | 10k+ | Input is not sanitized | ||
| #4567 | Responsive Select Menu | 58 | 29 | 27 | 3k+ | Output is not escaped | ||
| #4568 | Rewrite Rules Inspector | 58 | 7 | 59 | 10k+ | Nonce verification recommended | ||
| #4569 | Safety Exit | 58 | 52 | 26 | 1k+ | Text Domain Mismatch | ||
| #4570 | Simple Back To Top | 58 | 15 | 43 | 3k+ | Non-prefixed global variable | ||
| #4571 | Simple CSS for widgets | 58 | 11 | 15 | 1k+ | Missing nonce verification | ||
| #4572 | SportsPress for Basketball | 58 | 104 | 34 | 1k+ | Text Domain Mismatch | ||
| #4573 | SportsPress for Football (Soccer) | 58 | 107 | 34 | 6k+ | Text Domain Mismatch | ||
| #4574 | Super Simple Event Calendar | 58 | 8 | 24 | 700 | Request data is not unslashed | ||
| #4575 | UiCore Elements – Free widgets and templates for Elementor | 58 | 29 | 30 | 40k+ | Output is not escaped | ||
| #4576 | Ultimate Member – Online Users | 58 | 25 | 4 | 3k+ | Output is not escaped | ||
| #4577 | View Admin As | 58 | 307 | 135 | 9k+ | Non Singular String Literal Domain | ||
| #4578 | VRTs – Visual Regression Tests | 58 | 61 | 118 | 900 | Database parameter is not escaped | ||
| #4579 | WebP Express Plus | 58 | 19 | 11 | 700 | Unsafe printing function | ||
| #4580 | Wettervorhersage | 58 | 49 | 7 | 1k+ | Output is not escaped | ||
| #4581 | Chat Button & Custom ChatGPT-Powered Bot by GetButton.io | 58 | 26 | 8 | 20k+ | Non-prefixed function | ||
| #4582 | Cloak Affiliate Links for WooCommerce | 58 | 28 | 6 | 2k+ | Non Singular String Literal Domain | ||
| #4583 | WP Healthcheck | 58 | 37 | 73 | 1k+ | Non-prefixed global variable | ||
| #4584 | Blog Designer | 59 | 62 | 83 | 10k+ | Text Domain Mismatch | ||
| #4585 | Business Reviews – Display Customer Reviews from Popular Sites | 59 | 10 | 31 | 1k+ | Non-prefixed class | ||
| #4586 | Posts Order | 59 | 59 | 20 | 1k+ | Text Domain Mismatch | ||
| #4587 | Click To Copy – Copy Text or Code to Clipboard Instantly | 59 | 13 | 35 | 800 | Non-prefixed class | ||
| #4588 | Connect SendGrid for Emails | 59 | 37 | 103 | 900 | Missing direct file access protection | ||
| #4589 | Cresta Posts Box | 59 | 10 | 13 | 1k+ | Output is not escaped | ||
| #4590 | Display Post Types – Post Grid, post list and post sliders | 59 | 24 | 14 | 7k+ | Output is not escaped | ||
| #4591 | File Upload For WPForms – Filenzo | 59 | 8 | 16 | 1k+ | Output is not escaped | ||
| #4592 | GDPR Data Request Form | 59 | 22 | 19 | 6k+ | Missing direct file access protection | ||
| #4593 | Gettext override translations | 59 | 33 | 7 | 2k+ | Missing Arg Domain | ||
| #4594 | Gravity Forms: Notification Attachments | 59 | 18 | 7 | 500 | Output is not escaped | ||
| #4595 | Gravity Forms Approvals Add-On | 59 | 17 | 6 | 800 | Output is not escaped | ||
| #4596 | GravityWP – Merge Tags | 59 | 16 | 172 | 2k+ | Non-prefixed global variable | ||
| #4597 | HTTP Headers | 59 | 20 | 43 | 50k+ | Nonce verification recommended | ||
| #4598 | Icon List | 59 | 83 | 11 | 1k+ | Text Domain Mismatch | ||
| #4599 | MapGeo – Interactive Geo Maps | 59 | 14 | 51 | 40k+ | Non-prefixed hook name | ||
| #4600 | JetSticky For Elementor | 59 | 13 | 38 | 30k+ | Nonce verification recommended |
