WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1001 | PanoPress | 31 | 111 | 234 | 2k+ | Output is not escaped | ||
| #1002 | افزونه پیامک ووکامرس Persian WooCommerce SMS | 31 | 72 | 269 | 40k+ | Nonce verification recommended | ||
| #1003 | Pop-up | 31 | 103 | 91 | 10k+ | Output is not escaped | ||
| #1004 | Post Pay Counter | 31 | 639 | 238 | 2k+ | Output is not escaped | ||
| #1005 | Product Configurator for WooCommerce | 31 | 41 | 557 | 3k+ | Non-prefixed hook name | ||
| #1006 | Qode Essential Addons | 31 | 55 | 295 | 10k+ | Non-prefixed global variable | ||
| #1007 | Query Monitor | 31 | 44 | 273 | 200k+ | Non-prefixed class | ||
| #1008 | reCAPTCHA in WP comments form | 31 | 264 | 60 | 8k+ | Output is not escaped | ||
| #1009 | Accordion FAQ – Compatible With All Page Builder (Elementor, Gutenberg) | 31 | 460 | 201 | 30k+ | Non Singular String Literal Domain | ||
| #1010 | Coming Soon Page & Maintenance Mode | 31 | 613 | 266 | 3k+ | Text Domain Mismatch | ||
| #1011 | Rank Math SEO – AI SEO Tools to Dominate SEO Rankings | 31 | 45 | 373 | 4m+ | Non-prefixed global variable | ||
| #1012 | SmartBill Facturare si Gestiune | 31 | 421 | 164 | 5k+ | Text Domain Mismatch | ||
| #1013 | SpeedyCache – Cache, Optimization, Performance | 31 | 65 | 115 | 600k+ | Input is not validated | ||
| #1014 | Swatchly – Product Variation Swatches for WooCommerce | 31 | 540 | 214 | 5k+ | Output is not escaped | ||
| #1015 | Team Builder – Team Member Showcase With Grid and slider, Compatible With Elementor, Gutenberg | 31 | 459 | 282 | 7k+ | Non Singular String Literal Domain | ||
| #1016 | WP Testimonials | 31 | 183 | 455 | 10k+ | Non-prefixed global variable | ||
| #1017 | Tutor LMS Elementor Addons | 31 | 227 | 457 | 30k+ | Non-prefixed global variable | ||
| #1018 | Big File Uploads – Increase Maximum File Upload Size | 31 | 101 | 92 | 100k+ | Output is not escaped | ||
| #1019 | Ultimate Posts Widget | 31 | 309 | 86 | 10k+ | Output is not escaped | ||
| #1020 | User Spam Remover | 31 | 115 | 14 | 1k+ | Output is not escaped | ||
| #1021 | Blacklist Manager – WooCommerce Anti-Fraud, Blacklist & Checkout Verification | 31 | 284 | 830 | 2k+ | Missing nonce verification | ||
| #1022 | Web Push Notifications – Webpushr | 31 | 169 | 293 | 10k+ | Output is not escaped | ||
| #1023 | Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets | 31 | 837 | 295 | 100k+ | Unsafe printing function | ||
| #1024 | WooCommerce Legacy REST API | 31 | 324 | 177 | 400k+ | Missing Translators Comment | ||
| #1025 | Tooltips for WordPress | 31 | 312 | 252 | 5k+ | Output is not escaped | ||
| #1026 | Discussion Board – WordPress Forum Plugin | 31 | 105 | 153 | 2k+ | Request data is not unslashed | ||
| #1027 | WP Simple Booking Calendar | 31 | 337 | 381 | 20k+ | Output is not escaped | ||
| #1028 | WP Visitor Statistics (Real Time Traffic) | 31 | 353 | 691 | 20k+ | Nonce verification recommended | ||
| #1029 | WP ULike – Like & Dislike Buttons for Engagement and Feedback | 31 | 269 | 358 | 60k+ | Output is not escaped | ||
| #1030 | WP125 | 31 | 178 | 184 | 3k+ | Unsafe printing function | ||
| #1031 | Hosting Benchmark tool | 31 | 202 | 115 | 4k+ | rand rand | ||
| #1032 | YAHMAN Add-ons | 31 | 468 | 141 | 1k+ | Output is not escaped | ||
| #1033 | YML for Yandex Market | 31 | 37 | 293 | 10k+ | Non-prefixed global variable | ||
| #1034 | Zendesk Support for WordPress | 31 | 195 | 88 | 2k+ | Output is not escaped | ||
| #1035 | Advanced Access Manager – Access Governance for WordPress | 32 | 849 | 62 | 100k+ | Output is not escaped | ||
| #1036 | annasta Filters for WooCommerce | 32 | 1,073 | 441 | 2k+ | Text Domain Mismatch | ||
| #1037 | Aqua Page Builder | 32 | 320 | 114 | 3k+ | Output is not escaped | ||
| #1038 | Author Avatars List/Block | 32 | 85 | 135 | 4k+ | Non-prefixed hook name | ||
| #1039 | Auto YouTube Importer | 32 | 338 | 173 | 1k+ | Text Domain Mismatch | ||
| #1040 | Speed Kit | 32 | 296 | 73 | 2k+ | Output is not escaped | ||
| #1041 | Bosa Elementor Addons and Templates for WooCommerce | 32 | 40 | 165 | 20k+ | slow db query tax query | ||
| #1042 | BP Classic | 32 | 664 | 216 | 6k+ | Unsafe printing function | ||
| #1043 | BuddyPress for LearnDash | 32 | 190 | 284 | 1k+ | Output is not escaped | ||
| #1044 | Child Theme Configurator | 32 | 442 | 267 | 300k+ | Unsafe printing function | ||
| #1045 | Vimeotheque – Vimeo WordPress Plugin & Video Gallery | 32 | 642 | 264 | 2k+ | Unsafe printing function | ||
| #1046 | Cooked – Recipe Management | 32 | 462 | 275 | 3k+ | Output is not escaped | ||
| #1047 | Currency Switcher for WooCommerce | 32 | 357 | 263 | 10k+ | Text Domain Mismatch | ||
| #1048 | DHL eCommerce (Benelux) for WooCommerce | 32 | 222 | 330 | 2k+ | Nonce verification recommended | ||
| #1049 | Download Attachments | 32 | 69 | 188 | 8k+ | Non-prefixed hook name | ||
| #1050 | Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) | 32 | 560 | 198 | 6k+ | Text Domain Mismatch |
