Never assume, always confirm. The most prevalent security bug in web applications is the venerable XSS. Bug bounty hunters can spot them a mile away and they carry a hefty impact, so they should not be ignored. Many developers assume someone else will handle protection against XSS for them, and kindly wake up to a cold shower of truth then it is the first bug they have to patch.
The framework, WordPress in this case, makes it as easy as they can for plugin developers to address and protect their code against XSS bugs. But, they can’t force it. Like a horse to water, the developers need to use the functionality WordPress providers to sanitize the inputted values, and properly escape them when outputted. This is because context matters, only the plugin developer knows if the inputted value should be an integer, a file name, or text blobs, so only the developer can choose the right santization or escape function for their each input.
Writing XSS bug patches is straightforward. Looking at the context what the value represents or where it is being outputted will help determine which function we should pass the string value through.
You can read more technical details about this Last Patch of XSS in add-comments on the Patchstack blog.