WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4701 | Mintpay | 51 | 14 | 35 | 600 | Nonce verification recommended | ||
| #4702 | OnSale Page for WooCommerce | 51 | 30 | 44 | 2k+ | Text Domain Mismatch | ||
| #4703 | POLi Payments for WooCommerce | 51 | 62 | 26 | 500 | Text Domain Mismatch | ||
| #4704 | Security-Protection | 51 | 5 | 32 | 400 | Missing nonce verification | ||
| #4705 | Contact Information Widget | 51 | 69 | 5 | 500 | Output is not escaped | ||
| #4706 | Simple Cookie Notification Bar | 51 | 49 | 6 | 1k+ | Text Domain Mismatch | ||
| #4707 | Popular Brand Icons – Simple Icons | 51 | 20 | 12 | 3k+ | Output is not escaped | ||
| #4708 | Redirect | 51 | 26 | 12 | 5k+ | Output is not escaped | ||
| #4709 | Star Rating Field For Contact Form 7 | 51 | 36 | 7 | 800 | Output is not escaped | ||
| #4710 | Tiny gtag.js Analytics | 51 | 39 | 0 | 400 | Output is not escaped | ||
| #4711 | Toolbar Publish Button | 51 | 37 | 4 | 5k+ | Unsafe printing function | ||
| #4712 | Tourfic Toolkit | 51 | 44 | 27 | 1k+ | Output is not escaped | ||
| #4713 | Trustpilot Reviews | 51 | 14 | 52 | 30k+ | Missing nonce verification | ||
| #4714 | User Activity Tracking and Log | 51 | 28 | 237 | 3k+ | Non-prefixed global variable | ||
| #4715 | Visual Sitemap | 51 | 23 | 6 | 400 | Output is not escaped | ||
| #4716 | VK Filter Search | 51 | 35 | 71 | 6k+ | Nonce verification recommended | ||
| #4717 | Payment Gateway Payoneer For WooCommerce | 51 | 9 | 35 | 1k+ | Input is not validated | ||
| #4718 | WP Counter Up – Animated Number Counter & Milestone Showcase | 51 | 18 | 239 | 1k+ | Non-prefixed global variable | ||
| #4719 | REST API Log | 51 | 44 | 95 | 5k+ | Non-prefixed hook name | ||
| #4720 | Insert Code by Angie Makes | 51 | 43 | 8 | 900 | Output is not escaped | ||
| #4721 | WPFrom Email | 51 | 44 | 12 | 600 | Output is not escaped | ||
| #4722 | Affiliate Area Shortcodes by AffiliateWP | 52 | 56 | 16 | 2k+ | Text Domain Mismatch | ||
| #4723 | Age Gate Lite | 52 | 28 | 3 | 2k+ | Output is not escaped | ||
| #4724 | Bloglovin Button | 52 | 33 | 1 | 800 | Output is not escaped | ||
| #4725 | Debug This | 52 | 43 | 32 | 2k+ | Missing Translators Comment | ||
| #4726 | Easy WP Page Navigation | 52 | 60 | 8 | 800 | Non Singular String Literal Domain | ||
| #4727 | Formstack Online Forms | 52 | 39 | 20 | 1k+ | Output is not escaped | ||
| #4728 | Full Screen Background | 52 | 24 | 26 | 2k+ | Missing direct file access protection | ||
| #4729 | Fullscreen Galleria | 52 | 37 | 10 | 800 | Output is not escaped | ||
| #4730 | Request a Quote for WooCommerce – Get a Quote Button | 52 | 25 | 12 | 6k+ | Output is not escaped | ||
| #4731 | GSheetConnector for Gravity Forms – Send Gravity Forms Entries to Google Sheets in Real-Time | 52 | 26 | 27 | 1k+ | Exception output is not escaped | ||
| #4732 | Hangul font nanumgothic – google | 52 | 35 | 16 | 1k+ | Output is not escaped | ||
| #4733 | LeadBooster Chatbot by Pipedrive | 52 | 38 | 6 | 2k+ | Output is not escaped | ||
| #4734 | Meta Generator and Version Info Remover | 52 | 20 | 28 | 10k+ | Non-prefixed function | ||
| #4735 | Metronet Tag Manager | 52 | 17 | 36 | 20k+ | Input is not validated | ||
| #4736 | Post Notification by Email | 52 | 36 | 13 | 2k+ | Output is not escaped | ||
| #4737 | Plugins Load Order | 52 | 32 | 16 | 500 | Non Singular String Literal Domain | ||
| #4738 | Podium | 52 | 21 | 23 | 5k+ | Missing direct file access protection | ||
| #4739 | Product Bundles – Variation Bundles | 52 | 23 | 13 | 600 | Output is not escaped | ||
| #4740 | Remove Uppercase Accents | 52 | 41 | 2 | 8k+ | Unsafe printing function | ||
| #4741 | SEOWriting | 52 | 10 | 24 | 30k+ | Output is not escaped | ||
| #4742 | SKU Generator for WooCommerce | 52 | 29 | 12 | 2k+ | Output is not escaped | ||
| #4743 | Starbox – the Author Box for Humans | 52 | 144 | 19 | 10k+ | Non Singular String Literal Domain | ||
| #4744 | Stealth Publish | 52 | 7 | 22 | 900 | Missing nonce verification | ||
| #4745 | Custom Post Template By Templatic | 52 | 19 | 14 | 600 | Text Domain Mismatch | ||
| #4746 | TNC Toolbox: Web Performance | 52 | 20 | 25 | 1k+ | Output is not escaped | ||
| #4747 | Travel Map | 52 | 36 | 11 | 1k+ | Output is not escaped | ||
| #4748 | Wenprise Pinyin Slug | 52 | 30 | 34 | 4k+ | Text Domain Mismatch | ||
| #4749 | which template file | 52 | 19 | 12 | 4k+ | Output is not escaped | ||
| #4750 | Thank You Page Customizer for WooCommerce – Increase Your Sales | 52 | 5 | 249 | 4k+ | Non-prefixed global variable |
