WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4651 | IMGspider – 图片采集抓取插件 | 50 | 12 | 49 | 2k+ | Missing nonce verification | ||
| #4652 | Custom Block Builder – Lazy Blocks | 50 | 23 | 51 | 20k+ | Non-prefixed hook name | ||
| #4653 | Mailster Gravity Forms | 50 | 46 | 32 | 800 | Text Domain Mismatch | ||
| #4654 | Sitemap Generator | 50 | 60 | 26 | 3k+ | Output is not escaped | ||
| #4655 | Meteo | 50 | 58 | 9 | 800 | Output is not escaped | ||
| #4656 | Pago por Redsys | 50 | 44 | 59 | 700 | Text Domain Mismatch | ||
| #4657 | Product Open Pricing (Name Your Price) for WooCommerce | 50 | 105 | 37 | 6k+ | Text Domain Mismatch | ||
| #4658 | 📷 Simple QR Code Generator Widget | 50 | 21 | 14 | 400 | Output is not escaped | ||
| #4659 | Razorpay Payment Links for WooCommerce | 50 | 16 | 34 | 1k+ | Nonce verification recommended | ||
| #4660 | Section Widget | 50 | 24 | 35 | 500 | Nonce verification recommended | ||
| #4661 | Send Emails with Mandrill | 50 | 36 | 141 | 6k+ | Non-prefixed global variable | ||
| #4662 | Server Info – System Health & Diagnostics Suite | 50 | 15 | 46 | 3k+ | Input is not sanitized | ||
| #4663 | Simple User Listing | 50 | 27 | 56 | 900 | Non-prefixed global variable | ||
| #4664 | Sözleşmeler | 50 | 6 | 36 | 1k+ | Input is not sanitized | ||
| #4665 | Table Addons for Elementor | 50 | 92 | 29 | 20k+ | wp function not compatible with requires wp | ||
| #4666 | Theme Demo Import | 50 | 101 | 95 | 5k+ | Non-prefixed hook name | ||
| #4667 | Tiempo | 50 | 53 | 8 | 800 | Output is not escaped | ||
| #4668 | TrustedSite | 50 | 29 | 14 | 20k+ | Output is not escaped | ||
| #4669 | Ultimate Floating Widgets – Make popup sidebars | 50 | 48 | 14 | 3k+ | Output is not escaped | ||
| #4670 | Ultimate WooCommerce Brands | 50 | 87 | 12 | 500 | Text Domain Mismatch | ||
| #4671 | Veeqo for WooCommerce | 50 | 30 | 17 | 700 | Missing direct file access protection | ||
| #4672 | WP Hide Show Featured Image | 50 | 36 | 5 | 4k+ | Unsafe printing function | ||
| #4673 | WP SVG Images | 50 | 58 | 12 | 30k+ | Text Domain Mismatch | ||
| #4674 | ACF: User Role Selector | 51 | 41 | 2 | 600 | Output is not escaped | ||
| #4675 | Address Geocoder | 51 | 12 | 18 | 500 | Output is not escaped | ||
| #4676 | Adjust Admin Categories | 51 | 30 | 12 | 10k+ | Output is not escaped | ||
| #4677 | Aspexi Social Media Slider | 51 | 177 | 15 | 2k+ | Text Domain Mismatch | ||
| #4678 | AVIF Uploader | 51 | 50 | 44 | 4k+ | Missing Arg Domain | ||
| #4679 | Feeds for TikTok – Display Video Feeds in Grid Layouts | 51 | 18 | 59 | 1k+ | Request data is not unslashed | ||
| #4680 | Cards for Beaver Builder | 51 | 63 | 1 | 1k+ | Output is not escaped | ||
| #4681 | Booqable Rental Plugin | 51 | 81 | 18 | 1k+ | wp function not compatible with requires wp | ||
| #4682 | Bootstrap Modals | 51 | 43 | 8 | 1k+ | Output is not escaped | ||
| #4683 | WPML Multilingual for BuddyPress and BuddyBoss | 51 | 18 | 21 | 6k+ | SQL query is not prepared | ||
| #4684 | Category Archive Widget | 51 | 54 | 2 | 800 | Output is not escaped | ||
| #4685 | CloudFilt Bot & Spam Protection | 51 | 11 | 22 | 600 | Output is not escaped | ||
| #4686 | Disk Usage Insights | 51 | 26 | 42 | 1k+ | Non-prefixed global variable | ||
| #4687 | Firelight Lightbox | 51 | 78 | 97 | 200k+ | Non-prefixed global variable | ||
| #4688 | Easy Search Replace – Find & Replace Text/HTML/URLs, Remove Footer Credit | 51 | 6 | 61 | 500 | Input is not sanitized | ||
| #4689 | GamiPress – Reset User | 51 | 14 | 27 | 400 | Interpolated SQL is not prepared | ||
| #4690 | Gravatar Enhanced – Avatars, Profiles, and Privacy | 51 | 38 | 48 | 100k+ | Dynamic hook name | ||
| #4691 | Gravity Forms No CAPTCHA reCAPTCHA | 51 | 30 | 17 | 10k+ | Text Domain Mismatch | ||
| #4692 | Gutenverse – WordPress Blocks, Page Builder & Site Editor | 51 | 17 | 47 | 20k+ | Non-prefixed hook name | ||
| #4693 | Interactive Globes – 3D World Maps | 51 | 24 | 104 | 400 | Non-prefixed global variable | ||
| #4694 | Juicer.io: Effortlessly embed, curate, and aggregate social media feeds into your website | 51 | 44 | 34 | 9k+ | Output is not escaped | ||
| #4695 | KIA Subtitle | 51 | 21 | 19 | 7k+ | Non-prefixed global variable | ||
| #4696 | Menu Icons by Themeisle – Add Icons to Navigation Menus | 51 | 34 | 22 | 100k+ | Output is not escaped | ||
| #4697 | Lite Video Embed | 51 | 35 | 7 | 1k+ | Output is not escaped | ||
| #4698 | Mintpay | 51 | 14 | 35 | 600 | Nonce verification recommended | ||
| #4699 | OnSale Page for WooCommerce | 51 | 30 | 44 | 2k+ | Text Domain Mismatch | ||
| #4700 | POLi Payments for WooCommerce | 51 | 62 | 26 | 500 | Text Domain Mismatch |
