WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#901TranslatePress – Translate Multilingual sites with AI Translation254551,545400k+Non-prefixed function
#902Ultimate Bootstrap Elements for Elementor256,3261226k+Text Domain Mismatch
#903Ultimate Post Kit Addons for Elementor2518241230k+Missing nonce verification
#904Social Media Share Buttons & Social Sharing Icons252,4331,383100k+Unsafe printing function
#905Social Share Icons & Social Share Buttons252,3651,35710k+Output is not escaped
#906Vayu Blocks – Website Builder for the Gutenberg Block Editor251742331k+Text Domain Mismatch
#907Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP25205959500Request data is not unslashed
#908VikAppointments Services Booking Calendar259,7535,207500Output is not escaped
#909VikBooking Hotel Booking Engine & PMS2513,2448,3148k+Output is not escaped
#910VikRentCar Car Rental Management System255,5375,0484k+Non-prefixed global variable
#911VikRestaurants Table Reservations and Take-Away2511,6444,932600Output is not escaped
#9123D viewer by Visody258321,3221k+Non-prefixed global variable
#913Product Customer List for WooCommerce256101,3349k+Non-prefixed global variable
#914weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot252795184k+Non-prefixed global variable
#915weForms – Easy Drag & Drop Contact Form Builder For WordPress2591645010k+Output is not escaped
#916Secure Gateway for Authorize.net and WooCommerce by Pledged Plugins259071,41810k+Non-prefixed global variable
#917Digital Goods (Checkout Field Editor) for WooCommerce Checkout255391,4793k+Non-prefixed global variable
#918WFatture for WooCommerce Fattureincloud25229774800Non-prefixed global variable
#919PDF Builder for WooCommerce. Create invoices,packing slips and more253725032k+Non-prefixed global variable
#920Payment Plugins for Stripe WooCommerce25348779100k+Non-prefixed global variable
#921Pay with Vipps and MobilePay for WooCommerce258465145k+Output is not escaped
#922Wordfence Login Security2524841870k+Output is not escaped
#923WordPress Importer252381102m+Output is not escaped
#924Analytify – Google Analytics Dashboard For WordPress (GA4 analytics tracking)2516929520k+Non-prefixed global variable
#925Super Page Cache – Cloudflare Cache, Page Speed & Core Web Vitals2513735360k+Input is not sanitized
#926Comments Extra Fields For Post,Pages and CPT25577418500Text Domain Mismatch
#927WP Coupons and Deals – WordPress Coupon Plugin259141,4601k+Non-prefixed global variable
#928WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards251,4311,27010k+Output is not escaped
#929WP Go Maps – Google Map, OpenStreetMap, Leaflet Map254,9961,008300k+Unsafe printing function
#930WP Google Review Slider251,3672,58430k+Non-prefixed global variable
#931WP Encryption – No.1 HTTPS plugin & One Click Free SSL Cert, HTTPS Redirect, Security257271,55450k+Non-prefixed global variable
#932Nested Pages2567456090k+Non-prefixed global variable
#933WP-Polls2561863940k+Unsafe printing function
#934WP Popups – WordPress Popup builder2544034230k+Output is not escaped
#935Perfect Images: Regenerate Thumbnails, Image Sizes, WebP & AVIF2515811860k+Non-prefixed global variable
#936SlimStat Analytics251,17787070k+Exception output is not escaped
#937Smush – Image Optimization, Compression, Lazy Load, WebP & CDN252525661m+Non-prefixed hook name
#938Wp Social Login and Register Social Counter258073890k+Non-prefixed global variable
#939WP Spell Check254,4122k+Direct Query
#940WP Statistics – Simple, privacy-friendly Google Analytics alternative256102,465600k+Non-prefixed global variable
#941WP Super Cache258009891m+Output is not escaped
#942WP Time Slots Booking Form254391,1371k+Non-prefixed global variable
#943WPCargo Track & Trace2523955710k+Non-prefixed global variable
#944WPvivid Backup for MainWP258181,79410k+Missing nonce verification
#945WPvivid — Backup, Migration & Staging258991,461900k+Non-prefixed namespace
#946Backup, Restore and Migrate your sites with XCloner2523886410k+Input is not sanitized
#947YeeMail — Email Template Builder & Customizer25606222600wp function not compatible with requires wp
#948Video Gallery – YouTube Gallery, Playlist & Video Grid252751,0662k+Non-prefixed hook name
#949YT Player – Embed and Customize Video Players253,1632611k+Output is not escaped
#950AfterShip Tracking – All-In-One WooCommerce Order Tracking (Free plan available)262862918k+Text Domain Mismatch