WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

Add a nonce to the form, link, AJAX request, or REST request.
Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
Keep capability checks separate; nonces prove intent, not permission.

References

WordPress nonces

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Updated	Top Issue
#51	Backup Migration	21	981	1,093	80k+	17 days ago	Non Prefixed Variable Found
#52	bbPress	21	929	3,672	100k+	12 months ago	Non Prefixed Function Found
#53	Pinpoint Booking System – Version 2	21	634	328	3k+	4 days ago	missing direct file access protection
#54	CallTrackingMetrics	21	923	286	3k+	4 months ago	Unsafe Printing Function
#55	Captcha Them All	21	300	323	6k+	3 years ago	Output Not Escaped
#56	Smart Grid-Layout Design for Contact Form 7	21	1,126	734	10k+	2 months ago	Output Not Escaped
#57	Comet Cache	21	857	245	20k+	12 months ago	Output Not Escaped
#58	Cost Calculator Builder	21	322	765	30k+	3 days ago	Non Prefixed Variable Found
#59	Free Downloads WooCommerce	21	430	359	4k+	1 month ago	Output Not Escaped
#60	Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More	21	2,572	1,277	1m+	1 month ago	Output Not Escaped
#61	Envo Extra	21	878	600	20k+	26 days ago	Text Domain Mismatch
#62	eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams	21	186	437	9k+	2 months ago	Non Prefixed Variable Found
#63	ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support	21	829	5,966	5k+	4 days ago	Direct Query
#64	Eupago Gateway For Woocommerce	21	612	320	2k+	2 months ago	Output Not Escaped
#65	EventPrime – Events Calendar, Bookings and Tickets	21	872	4,297	7k+	2 days ago	Non Prefixed Variable Found
#66	Feeds for YouTube (YouTube video, channel, and gallery plugin)	21	558	978	100k+	12 days ago	Output Not Escaped
#67	FileOrganizer – WordPress File Manager	21	536	241	200k+	12 days ago	unlink unlink
#68	Campaign Monitor for WordPress	21	386	461	2k+	2 months ago	Non Prefixed Variable Found
#69	If-So Dynamic Content – Elementor & All Page Builders Personalization	21	889	725	7k+	25 days ago	Unsafe Printing Function
#70	Imagify: Optimize Images for Top Speed (Compress & Convert to WebP/AVIF)	21	418	851	1m+	21 days ago	Non Prefixed Variable Found
#71	JCH Optimize	21	953	133	4k+	5 months ago	Output Not Escaped
#72	LA-Studio Element Kit for Elementor	21	8,390	1,964	10k+	6 days ago	Text Domain Mismatch
#73	Mapster WP Maps	21	3,440	2,903	3k+	11 days ago	Text Domain Mismatch
#74	MotoPress Hotel Booking	21	3,061	1,037	10k+	7 days ago	Text Domain Mismatch
#75	Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred	21	1,469	3,333	10k+	4 days ago	Non Prefixed Variable Found
#76	OneLogin SAML SSO	21	508	330	7k+	7 months ago	wp function not compatible with requires wp
#77	Packeta	21	802	333	8k+	8 months ago	Exception Not Escaped
#78	Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages	21	1,173	2,983	9k+	20 days ago	Non Prefixed Variable Found
#79	Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction	21	1,918	5,065	10k+	20 days ago	Non Prefixed Hookname Found
#80	User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor	21	696	1,483	50k+	12 days ago	Recommended
#81	PublishPress Planner – Editorial Calendar, Marketing Content, Kanban Board	21	603	890	6k+	1 month ago	Output Not Escaped
#82	Razorpay Quick Payments	21	399	63	3k+	1 year ago	Exception Not Escaped
#83	Five Star Restaurant Reservations – WordPress Booking Plugin	21	1,099	1,147	10k+	3 days ago	Output Not Escaped
#84	Rocket Maintenance Mode & Coming Soon Page	21	1,176	1,406	4k+	2 years ago	Non Prefixed Variable Found
#85	Royal Addons for Elementor – Addons and Templates Kit for Elementor	21	13,011	2,530	600k+	14 days ago	Text Domain Mismatch
#86	Seamless Donations is Sunset	21	600	514	2k+	2 years ago	Text Domain Mismatch
#87	Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic	21	327	181	10k+	2 years ago	Output Not Escaped
#88	Smart Forms – when you need more than just a contact form	21	776	574	5k+	1 month ago	Output Not Escaped
#89	Accept Stripe Payments	21	373	882	20k+	2 months ago	Missing
#90	ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin	21	190	660	30k+	26 days ago	Non Prefixed Variable Found
#91	Buckaroo Woocommerce Payments Plugin	21	563	326	2k+	6 days ago	Exception Not Escaped
#92	WCFM – Frontend Manager for WooCommerce	21	4,721	5,067	20k+	2 months ago	Non Prefixed Variable Found
#93	WebP Express	21	160	427	300k+	3 days ago	Non Prefixed Variable Found
#94	Wise Chat	21	470	506	5k+	4 months ago	Output Not Escaped
#95	Paysera Payment Gateway for WooCommerce	21	1,866	195	7k+	18 days ago	Exception Not Escaped
#96	Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools	21	786	3,395	30k+	5 days ago	Non Prefixed Variable Found
#97	PPOM – Product Addons & Custom Fields for WooCommerce	21	336	1,325	20k+	20 days ago	Non Prefixed Variable Found
#98	Wordfence Security – Firewall, Malware Scan, and Login Security	21	1,592	2,973	5m+	1 month ago	Output Not Escaped
#99	WP-Lister Lite for eBay	21	6,697	5,129	2k+	19 days ago	Output Not Escaped
#100	WP phpMyAdmin	21	4,528	6,435	50k+	8 months ago	Missing Arg Domain