WordPress.Security.EscapeOutput.OutputNotEscaped
Output is not escaped
Dynamic data is printed to the page without an escaping function for the output context.
Why It Shows Up
WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.
Why It Matters
Unescaped output can become cross-site scripting when attackers control any part of the value being printed.
How to Fix
- Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
- Escape as late as possible, right before output, so the selected escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4901 | Pluginception | 56 | 7 | 29 | 4k+ | Request data is not unslashed | ||
| #4902 | Posts Columns Manager | 56 | 47 | 2 | 800 | Output is not escaped | ||
| #4903 | PuzzleMe – Interactive Puzzles for WordPress – Easily publish crosswords, quizzes, word searches and more | 56 | 36 | 15 | 1k+ | Output is not escaped | ||
| #4904 | Quick Flickr Widget | 56 | 37 | 2 | 400 | Output is not escaped | ||
| #4905 | Replace Protected Password | 56 | 6 | 18 | 600 | Input is not sanitized | ||
| #4906 | Require Featured Image | 56 | 20 | 6 | 3k+ | Output is not escaped | ||
| #4907 | Review Stream | 56 | 41 | 42 | 400 | Non-prefixed global variable | ||
| #4908 | Seed Social | 56 | 36 | 7 | 6k+ | Output is not escaped | ||
| #4909 | Image Optimization For SEO | 56 | 116 | 69 | 3k+ | Non Singular String Literal Domain | ||
| #4910 | Simple Org Chart | 56 | 15 | 29 | 900 | Missing Version | ||
| #4911 | Smooth Back To Top Button | 56 | 41 | 7 | 40k+ | Output is not escaped | ||
| #4912 | TableKit: Table Builder Blocks for Gutenberg | 56 | 80 | 20 | 3k+ | Missing Translators Comment | ||
| #4913 | TextBuilder | 56 | 20 | 34 | 4k+ | Missing Arg Domain | ||
| #4914 | ThemeinWP Import Companion | 56 | 17 | 14 | 4k+ | Unsafe printing function | ||
| #4915 | USERCENTRICS CMP | 56 | 44 | 11 | 1k+ | Non Singular String Literal Domain | ||
| #4916 | Export & Import WPBakery Page Builder | 56 | 12 | 20 | 9k+ | Missing nonce verification | ||
| #4917 | Video Dashboard | 56 | 33 | 1 | 500 | Output is not escaped | ||
| #4918 | Weer | 56 | 54 | 6 | 400 | Output is not escaped | ||
| #4919 | easy AMP | 56 | 10 | 24 | 600 | Input is not sanitized | ||
| #4920 | WP Clean Admin Menu | 56 | 29 | 11 | 2k+ | Output is not escaped | ||
| #4921 | Social Chat – Click To Chat App Button | 56 | 81 | 45 | 200k+ | Text Domain Mismatch | ||
| #4922 | Blog Time | 57 | 38 | 6 | 600 | Output is not escaped | ||
| #4923 | Pantheon Migrations | 57 | 15 | 26 | 1k+ | Output is not escaped | ||
| #4924 | Cache-Control | 57 | 26 | 4 | 1k+ | Output is not escaped | ||
| #4925 | Change Login Page Logo | 57 | 69 | 8 | 1k+ | Output is not escaped | ||
| #4926 | Cresta Social Share Counter | 57 | 12 | 13 | 2k+ | Output is not escaped | ||
| #4927 | Known Agents – Track AI Bots and Crawlers, Block Scrapers, Analyze LLM Referral Traffic | 57 | 37 | 12 | 1k+ | Setting is missing a sanitization callback | ||
| #4928 | Delete Pending Comments | 57 | 16 | 11 | 10k+ | Unsafe printing function | ||
| #4929 | Disable Cart Fragments by Optimocha | 57 | 8 | 13 | 10k+ | Nonce verification recommended | ||
| #4930 | Easy GDPR Consent Forms – MailChimp | 57 | 72 | 22 | 500 | Text Domain Mismatch | ||
| #4931 | Elementor Beta (Developer Edition) | 57 | 36 | 32 | 30k+ | Output is not escaped | ||
| #4932 | Live Chat by Formilla – Real-time Chat & Chatbots Plugin | 57 | 22 | 13 | 2k+ | Missing Arg Domain | ||
| #4933 | APG Google Image Sitemap Feed | 57 | 36 | 33 | 900 | Non-prefixed global variable | ||
| #4934 | Hide Admin Notices | 57 | 9 | 16 | 20k+ | Input is not sanitized | ||
| #4935 | iConvert Promoter | 57 | 98 | 217 | 1k+ | Non-prefixed global variable | ||
| #4936 | iZooto – Web Push Notifications | 57 | 26 | 25 | 1k+ | wp function not compatible with requires wp | ||
| #4937 | Jquery Validation For Contact Form 7 | 57 | 16 | 19 | 9k+ | Missing direct file access protection | ||
| #4938 | Logo Manager For Enamad – لوگوی نماد الکترونیکی | 57 | 18 | 14 | 5k+ | Output is not escaped | ||
| #4939 | Longer Permalinks | 57 | 27 | 21 | 8k+ | Missing Arg Domain | ||
| #4940 | My WordPress Login Logo | 57 | 28 | 36 | 10k+ | Non-prefixed global variable | ||
| #4941 | Plethora Plugins Tabs + Accordions | 57 | 44 | 10 | 2k+ | Output is not escaped | ||
| #4942 | Plugin Notes | 57 | 17 | 29 | 400 | Input is not validated | ||
| #4943 | Protected Posts Logout Button | 57 | 10 | 20 | 1k+ | Input is not sanitized | ||
| #4944 | Public Post Preview | 57 | 8 | 11 | 100k+ | Nonce verification recommended | ||
| #4945 | Real-Time Find and Replace | 57 | 23 | 10 | 70k+ | Output is not escaped | ||
| #4946 | Replain | 57 | 21 | 9 | 700 | Output is not escaped | ||
| #4947 | Simple CSS | 57 | 22 | 13 | 80k+ | Missing Version | ||
| #4948 | Site Health Tool Manager | 57 | 13 | 5 | 1k+ | Unsafe printing function | ||
| #4949 | Responsive Slideshow – Photo Carousel | 57 | 1 | 74 | 2k+ | Non-prefixed global variable | ||
| #4950 | Team View | 57 | 32 | 19 | 900 | Output is not escaped |