WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4901Pluginception567294k+Request data is not unslashed
#4902Posts Columns Manager56472800Output is not escaped
#4903PuzzleMe – Interactive Puzzles for WordPress – Easily publish crosswords, quizzes, word searches and more5636151k+Output is not escaped
#4904Quick Flickr Widget56372400Output is not escaped
#4905Replace Protected Password56618600Input is not sanitized
#4906Require Featured Image562063k+Output is not escaped
#4907Review Stream564142400Non-prefixed global variable
#4908Seed Social563676k+Output is not escaped
#4909Image Optimization For SEO56116693k+Non Singular String Literal Domain
#4910Simple Org Chart561529900Missing Version
#4911Smooth Back To Top Button5641740k+Output is not escaped
#4912TableKit: Table Builder Blocks for Gutenberg5680203k+Missing Translators Comment
#4913TextBuilder5620344k+Missing Arg Domain
#4914ThemeinWP Import Companion5617144k+Unsafe printing function
#4915USERCENTRICS CMP5644111k+Non Singular String Literal Domain
#4916Export & Import WPBakery Page Builder5612209k+Missing nonce verification
#4917Video Dashboard56331500Output is not escaped
#4918Weer56546400Output is not escaped
#4919easy AMP561024600Input is not sanitized
#4920WP Clean Admin Menu5629112k+Output is not escaped
#4921Social Chat – Click To Chat App Button568145200k+Text Domain Mismatch
#4922Blog Time57386600Output is not escaped
#4923Pantheon Migrations5715261k+Output is not escaped
#4924Cache-Control572641k+Output is not escaped
#4925Change Login Page Logo576981k+Output is not escaped
#4926Cresta Social Share Counter5712132k+Output is not escaped
#4927Known Agents – Track AI Bots and Crawlers, Block Scrapers, Analyze LLM Referral Traffic5737121k+Setting is missing a sanitization callback
#4928Delete Pending Comments57161110k+Unsafe printing function
#4929Disable Cart Fragments by Optimocha5781310k+Nonce verification recommended
#4930Easy GDPR Consent Forms – MailChimp577222500Text Domain Mismatch
#4931Elementor Beta (Developer Edition)57363230k+Output is not escaped
#4932Live Chat by Formilla – Real-time Chat & Chatbots Plugin5722132k+Missing Arg Domain
#4933APG Google Image Sitemap Feed573633900Non-prefixed global variable
#4934Hide Admin Notices5791620k+Input is not sanitized
#4935iConvert Promoter57982171k+Non-prefixed global variable
#4936iZooto – Web Push Notifications5726251k+wp function not compatible with requires wp
#4937Jquery Validation For Contact Form 75716199k+Missing direct file access protection
#4938Logo Manager For Enamad – لوگوی نماد الکترونیکی5718145k+Output is not escaped
#4939Longer Permalinks5727218k+Missing Arg Domain
#4940My WordPress Login Logo57283610k+Non-prefixed global variable
#4941Plethora Plugins Tabs + Accordions5744102k+Output is not escaped
#4942Plugin Notes571729400Input is not validated
#4943Protected Posts Logout Button5710201k+Input is not sanitized
#4944Public Post Preview57811100k+Nonce verification recommended
#4945Real-Time Find and Replace57231070k+Output is not escaped
#4946Replain57219700Output is not escaped
#4947Simple CSS57221380k+Missing Version
#4948Site Health Tool Manager571351k+Unsafe printing function
#4949Responsive Slideshow – Photo Carousel571742k+Non-prefixed global variable
#4950Team View573219900Output is not escaped