WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4751 | WP Eventbrite Embedded Checkout | 52 | 49 | 7 | 700 | Text Domain Mismatch | ||
| #4752 | WP Hooks Finder | 52 | 27 | 31 | 1k+ | Output is not escaped | ||
| #4753 | WP Secure Maintenance | 52 | 28 | 18 | 1k+ | Output is not escaped | ||
| #4754 | Bg RuTube Embed | 53 | 19 | 21 | 1k+ | Unsafe printing function | ||
| #4755 | Bulk Actions Select All | 53 | 26 | 22 | 800 | Text Domain Mismatch | ||
| #4756 | Column Shortcodes | 53 | 32 | 9 | 60k+ | Unsafe printing function | ||
| #4757 | Connect Contact Form 7 and Mailchimp | 53 | 236 | 52 | 40k+ | Text Domain Mismatch | ||
| #4758 | Custom Post Type UI | 53 | 16 | 23 | 1m+ | Output is not escaped | ||
| #4759 | Disable Comments – Remove Comments & Stop Spam [Multi-Site Support] | 53 | 15 | 46 | 1m+ | Non-prefixed global variable | ||
| #4760 | Download PDF After Submit Form | 53 | 2 | 45 | 500 | Input is not sanitized | ||
| #4761 | Elegant Custom Fonts | 53 | 15 | 17 | 3k+ | Output is not escaped | ||
| #4762 | Export Custom Pages | 53 | 22 | 19 | 700 | Output is not escaped | ||
| #4763 | FakerPress | 53 | 66 | 152 | 10k+ | Non-prefixed global variable | ||
| #4764 | Focus Videos | 53 | 36 | 9 | 400 | Text Domain Mismatch | ||
| #4765 | International Telephone Input for Contact Form 7 | 53 | 18 | 10 | 8k+ | Missing direct file access protection | ||
| #4766 | LearnPress – bbPress Integration | 53 | 19 | 14 | 2k+ | Output is not escaped | ||
| #4767 | LuckyWP ACF Menu Field | 53 | 46 | 9 | 5k+ | Short PHP open tag found | ||
| #4768 | MOBILOOK — Mobile View & Mobile‑Friendly Test | 53 | 10 | 20 | 1k+ | Missing nonce verification | ||
| #4769 | Multiple external product URLs for WooCommerce | 53 | 28 | 17 | 400 | Text Domain Mismatch | ||
| #4770 | Multiple Post Thumbnails | 53 | 25 | 18 | 20k+ | Output is not escaped | ||
| #4771 | ONTRApages | 53 | 16 | 27 | 1k+ | Output is not escaped | ||
| #4772 | 워드프레스 결제 심플페이 – 우커머스 결제 플러그인 | 53 | 79 | 92 | 1k+ | Missing direct file access protection | ||
| #4773 | Post Type Converter | 53 | 5 | 28 | 1k+ | Nonce verification recommended | ||
| #4774 | Preserved HTML Editor Markup | 53 | 12 | 22 | 600 | Output is not escaped | ||
| #4775 | Preserved HTML Editor Markup Plus | 53 | 12 | 22 | 3k+ | Output is not escaped | ||
| #4776 | pretix widget | 53 | 25 | 39 | 400 | Non-prefixed global variable | ||
| #4777 | Pure Metafields | 53 | 5 | 130 | 10k+ | Non-prefixed global variable | ||
| #4778 | RDFa Breadcrumb | 53 | 27 | 13 | 600 | Output is not escaped | ||
| #4779 | REST API Featured Image | 53 | 34 | 16 | 700 | Output is not escaped | ||
| #4780 | Send Email From Admin | 53 | 27 | 13 | 800 | Text Domain Mismatch | ||
| #4781 | Shamor | 53 | 55 | 12 | 400 | wp function not compatible with requires wp | ||
| #4782 | Simple Blog Stats | 53 | 25 | 76 | 4k+ | Non-prefixed function | ||
| #4783 | Simple Copy Post Button | 53 | 14 | 24 | 400 | Input is not sanitized | ||
| #4784 | Simple Masonry Layout | 53 | 28 | 28 | 1k+ | Output is not escaped | ||
| #4785 | Skroutz Analytics for WooCommerce | 53 | 57 | 15 | 1k+ | Text Domain Mismatch | ||
| #4786 | Social Media Widget | 53 | 90 | 21 | 30k+ | Text Domain Mismatch | ||
| #4787 | SoundPress Plugin | 53 | 44 | 3 | 1k+ | Output is not escaped | ||
| #4788 | Texty – SMS Notification for WordPress, WooCommerce, Dokan and more | 53 | 31 | 34 | 8k+ | Output is not escaped | ||
| #4789 | Weight Based Shipping for WooCommerce | 53 | 48 | 41 | 60k+ | Missing direct file access protection | ||
| #4790 | Widget Context | 53 | 14 | 20 | 40k+ | Non-prefixed hook name | ||
| #4791 | Widget Icon | 53 | 53 | 10 | 700 | Output is not escaped | ||
| #4792 | Widgets Reloaded | 53 | 62 | 20 | 1k+ | Output is not escaped | ||
| #4793 | WP Console – WordPress PHP Console powered by PsySH | 53 | 34 | 48 | 20k+ | Exception output is not escaped | ||
| #4794 | WP Login Logo | 53 | 28 | 9 | 500 | Unsafe printing function | ||
| #4795 | Peadig's Twitter Feed: Embedded Timeline WordPress Plugin | 53 | 37 | 6 | 600 | Output is not escaped | ||
| #4796 | WP User Switch | 53 | 8 | 46 | 1k+ | Input is not sanitized | ||
| #4797 | aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder | 54 | 8 | 382 | 2k+ | Non-prefixed global variable | ||
| #4798 | AffiliateWP – Order Details For Affiliates | 54 | 62 | 27 | 2k+ | Output is not escaped | ||
| #4799 | Analytics Head | 54 | 34 | 7 | 600 | Output is not escaped | ||
| #4800 | Anant Addons for Elementor – Widgets, Templates & WooCommerce Builder | 54 | 29 | 207 | 800 | Non-prefixed global variable |