WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4601 | Advanced Custom Fields: Archive Templates | 74 | 11 | 7 | 800 | Output is not escaped | ||
| #4602 | ACF Columns | 74 | 47 | 4 | 4k+ | Text Domain Mismatch | ||
| #4603 | Admin Columns for ACF Fields | 74 | 7 | 8 | 9k+ | Output is not escaped | ||
| #4604 | Append Link on Copy | 74 | 23 | 5 | 800 | Output is not escaped | ||
| #4605 | Bangla Date Display | 74 | 43 | 4 | 4k+ | Text Domain Mismatch | ||
| #4606 | Boxy WooCommerce Custom Redirect After Checkout | 74 | 27 | 8 | 700 | badly named files | ||
| #4607 | Buy Now Button for WooCommerce | 74 | 9 | 11 | 2k+ | Nonce verification recommended | ||
| #4608 | Calculation For Contact Form 7 | 74 | 21 | 5 | 1k+ | Text Domain Mismatch | ||
| #4609 | Custom Icons for Elementor and WPBakery | 74 | 35 | 38 | 10k+ | Non-prefixed global variable | ||
| #4610 | Duplicate Taxonomy Term | 74 | 9 | 5 | 2k+ | Nonce verification recommended | ||
| #4611 | Duplicate Widget | 74 | 17 | 0 | 1k+ | Output is not escaped | ||
| #4612 | Dynamic Conditions | 74 | 42 | 3 | 60k+ | Missing Arg Domain | ||
| #4613 | Edit Author Slug | 74 | 5 | 8 | 100k+ | Output is not escaped | ||
| #4614 | Contact Form 7 Email Validation | 74 | 8 | 10 | 1k+ | Input is not validated | ||
| #4615 | Google Web Fonts Customizer (GWFC) | 74 | 48 | 4 | 900 | Text Domain Mismatch | ||
| #4616 | Highlight and Share – Unobtrusive and Lightweight Content Sharing | 74 | 12 | 115 | 800 | Non-prefixed hook name | ||
| #4617 | Markup Markdown | 74 | 18 | 128 | 2k+ | Non-prefixed global variable | ||
| #4618 | Multiple Admin Email Addresses | 74 | 7 | 4 | 1k+ | Missing nonce verification | ||
| #4619 | Elements For Elementor | 74 | 39 | 37 | 10k+ | Non-prefixed global variable | ||
| #4620 | Post Carousel for DV Builder | 74 | 152 | 9 | 2k+ | Text Domain Mismatch | ||
| #4621 | Post Grid Addon for Elementor | 74 | 16 | 13 | 10k+ | Missing direct file access protection | ||
| #4622 | Post My CF7 Form | 74 | 21 | 168 | 2k+ | Non-prefixed global variable | ||
| #4623 | Product Layouts for WooCommerce | 74 | 5 | 75 | 1k+ | Direct Query | ||
| #4624 | WP All Import – Property Import for RealHomes | 74 | 17 | 12 | 700 | Output is not escaped | ||
| #4625 | Registration Form for WooCommerce | 74 | 6 | 42 | 1k+ | Non-prefixed global variable | ||
| #4626 | Resume Builder | 74 | 20 | 59 | 1k+ | Non-prefixed global variable | ||
| #4627 | Scroll to Top Button | 74 | 16 | 4 | 1k+ | Output is not escaped | ||
| #4628 | Security Headers | 74 | 31 | 11 | 3k+ | Deprecated parameter: unregister_setting parameter 3 | ||
| #4629 | Show Pages IDs | 74 | 8 | 8 | 10k+ | Output is not escaped | ||
| #4630 | Simple Scroll To Top WP | 74 | 24 | 5 | 1k+ | Output is not escaped | ||
| #4631 | Simple Slug Translate | 74 | 32 | 3 | 1k+ | Non Singular String Literal Domain | ||
| #4632 | Site Mailer – SMTP Replacement, Email API Deliverability & Email Log | 74 | 8 | 23 | 200k+ | Output is not escaped | ||
| #4633 | Extra Shipping Rates for WooCommerce | 74 | 15 | 19 | 800 | Non-prefixed global variable | ||
| #4634 | Widgets in Menu for WordPress | 74 | 16 | 12 | 8k+ | Text Domain Mismatch | ||
| #4635 | WP API SwaggerUI | 74 | 16 | 14 | 2k+ | Missing direct file access protection | ||
| #4636 | WP Cron HTTP Auth | 74 | 12 | 7 | 1k+ | Output is not escaped | ||
| #4637 | Force Login | 74 | 5 | 8 | 30k+ | Output is not escaped | ||
| #4638 | WP Revisions Limit | 74 | 16 | 14 | 900 | Missing Arg Domain | ||
| #4639 | WP Term Colors | 74 | 3 | 13 | 700 | Nonce verification recommended | ||
| #4640 | Zion Builder – Website Builder for Speed & Creativity | 74 | 4 | 29 | 1k+ | Non-prefixed hook name | ||
| #4641 | Acumbamail | 75 | 7 | 36 | 1k+ | Non-prefixed global variable | ||
| #4642 | Admin Locale | 75 | 12 | 10 | 7k+ | Missing Arg Domain | ||
| #4643 | Anchor Episodes Index (Spotify for Podcasters) | 75 | 32 | 3 | 1k+ | Text Domain Mismatch | ||
| #4644 | blueimp lightbox | 75 | 19 | 2 | 1k+ | Output is not escaped | ||
| #4645 | Canvas Image Resize | 75 | 19 | 1 | 1k+ | Output is not escaped | ||
| #4646 | chat-me-now | 75 | 15 | 5 | 4k+ | Output is not escaped | ||
| #4647 | Cognito Forms | 75 | 13 | 4 | 2k+ | wp function not compatible with requires wp | ||
| #4648 | Conditional Logic Emails, Fields, Redirect for Elementor Forms | 75 | 312 | 31 | 2k+ | wp function not compatible with requires wp | ||
| #4649 | Custom field finder | 75 | 9 | 3 | 2k+ | Output is not escaped | ||
| #4650 | Customize Twenty Seventeen | 75 | 33 | 19 | 2k+ | Text Domain Mismatch |
