diff --git a/plugins/woocommerce/changelog/trunk b/plugins/woocommerce/changelog/trunk
new file mode 100644
index 00000000000..b67b210de7b
--- /dev/null
+++ b/plugins/woocommerce/changelog/trunk
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Escape the default 'thank you' text instead of the filtered message.
diff --git a/plugins/woocommerce/templates/checkout/order-received.php b/plugins/woocommerce/templates/checkout/order-received.php
index da63173ce87..5cfdd75ad97 100644
--- a/plugins/woocommerce/templates/checkout/order-received.php
+++ b/plugins/woocommerce/templates/checkout/order-received.php
@@ -12,7 +12,7 @@
  *
  * @see https://docs.woocommerce.com/document/template-structure/
  * @package WooCommerce\Templates
- * @version 8.1.0
+ * @version 8.3.0
  *
  * @var WC_Order|false $order
  */
@@ -32,10 +32,11 @@ defined( 'ABSPATH' ) || exit;
 	 */
 	$message = apply_filters(
 		'woocommerce_thankyou_order_received_text',
-		__( 'Thank you. Your order has been received.', 'woocommerce' ),
+		esc_html( __( 'Thank you. Your order has been received.', 'woocommerce' ) ),
 		$order
 	);
 
-	echo esc_html( $message );
+	// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+	echo $message;
 	?>
 </p>