WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#951AI Content Writing Assistant261,069516700Text Domain Mismatch
#952Attesa Extra263161511k+Output is not escaped
#953Blog Floating Button267052409k+Output is not escaped
#954Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar265262635k+Output is not escaped
#955Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More269727010k+error log error log
#956Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty26113671400k+Non-prefixed global variable
#957Database for Contact Form 7, WPforms, Elementor forms2631748960k+Non-prefixed global variable
#958Translate WordPress with ConveyThis – AI Multilingual Plugin261592971k+Non-prefixed global variable
#959CP Multi View Events Calendar26864391k+Non-prefixed global variable
#960WP Frontend Admin – Display WP Admin Pages in the Frontend26347337400Non Singular String Literal Domain
#961Ditty – Responsive News Tickers, Sliders, and Lists2656148430k+Output is not escaped
#962Accept Donations with PayPal & Stripe2691657210k+Unsafe printing function
#963ezCache2612726910k+Direct Query
#964RSS Redirect & Feedburner Alternative262772721k+Output is not escaped
#965FG Drupal to WordPress26275100700Unsafe printing function
#966FG PrestaShop to WooCommerce2625494900Unsafe printing function
#967FlagShip WooCommerce Shipping26495188400Non Singular String Literal Domain
#968Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager2611359790k+Non-prefixed global variable
#969FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.)265944172k+Exception output is not escaped
#970FV Antispam26332239900Output is not escaped
#971Translate WordPress – Google Language Translator26200317100k+Non-prefixed global variable
#972GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites26284216500badly named files
#973Ibtana – WordPress Website Builder2617340910k+Non-prefixed global variable
#974Image SEO – AI-Driven Image SEO Optimizer263503271k+Text Domain Mismatch
#975Integrate Razorpay for Contact Form 72615297500curl curl setopt
#976Kadence Central – Site Management, Backups, Security, and Reporting2646221330k+Text Domain Mismatch
#977JustTables – WooCommerce Product Table26534652600Non-prefixed global variable
#978Landing Page Cat – Coming Soon & Maintenance Pages2691180600Non-prefixed class
#979Loco Translate264542421m+Output is not escaped
#980MakeStories (for Google Web Stories)26117416600Nonce verification recommended
#981Media File Renamer: Rename for better SEO (AI-Powered)2615417040k+Direct Query
#982Hotel Booking266909404k+Unsafe printing function
#983Omise Payments263582562k+Output is not escaped
#984Online Contact Widget-多合一在线客服插件2670880800Non Singular String Literal Domain
#985OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)262725766k+Request data is not unslashed
#986Open User Map – Interactive Leaflet Maps2689398610k+Non-prefixed global variable
#987Organic Builder Widgets – Simple WordPress Page Builder261,0341254k+Output is not escaped
#988Barion Payment Gateway for WooCommerce26712216k+Non-prefixed global variable
#989Paytium: Mollie payment forms & donations265065513k+Unsafe printing function
#990PDF for WPForms + Drag and Drop Template Builder266741131k+wp function not compatible with requires wp
#991LoginWP (Formerly Peter's Login Redirect)2640127890k+Output is not escaped
#992Crowdsignal Dashboard – Polls, Surveys & more26486489200k+Unsafe printing function
#993Portfolio by BestWebSoft – Work and Projects Presentation Plugin for WordPress26525240600Text Domain Mismatch
#994Premmerce User Roles265971,357600Non-prefixed global variable
#995Pressidium Cookie Consent262039510k+Exception output is not escaped
#996Product Table For WooCommerce26191858600Non-prefixed global variable
#997Profile Extra Fields by BestWebSoft265145322k+Text Domain Mismatch
#998Related Posts Thumbnails Plugin for WordPress2638219820k+Output is not escaped
#999RestaurantPress26265518600Output is not escaped
#1000Send Users Email – Email Subscribers, Email Marketing Newsletter261884155k+Non-prefixed global variable