WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1151 | Photonic Gallery & Lightbox for Flickr, SmugMug & Others | 36 | 180 | 163 | 10k+ | Missing Translators Comment | |
| #1152 | Plugins Garbage Collector (Database Cleanup) | 36 | 32 | 51 | 10k+ | Missing | |
| #1153 | WowStore – Store Builder & Product Blocks for WooCommerce | 36 | 66 | 429 | 4k+ | Non Prefixed Variable Found | |
| #1154 | افزونه رسمی ترب | 36 | 42 | 86 | 20k+ | Exception Not Escaped | |
| #1155 | Qubely – Advanced Gutenberg Blocks | 36 | 39 | 78 | 8k+ | Missing Unslash | |
| #1156 | Quick 301 Redirects | 36 | 89 | 120 | 5k+ | Non Prefixed Variable Found | |
| #1157 | QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | 36 | 172 | 108 | 8k+ | Non Singular String Literal Domain | |
| #1158 | Rara One Click Demo Import | 36 | 122 | 98 | 20k+ | Missing Translators Comment | |
| #1159 | Better Find and Replace – AI-Powered Suggestions | 36 | 67 | 129 | 40k+ | missing direct file access protection | |
| #1160 | RTMKit | 36 | 5 | 377 | 50k+ | Non Prefixed Variable Found | |
| #1161 | Search & Replace | 36 | 50 | 53 | 100k+ | Missing | |
| #1162 | Search Everything | 36 | 165 | 77 | 10k+ | Text Domain Mismatch | |
| #1163 | ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution | 36 | 63 | 667 | 100k+ | Non Prefixed Variable Found | |
| #1164 | Subscribe to Comments | 36 | 129 | 163 | 10k+ | Output Not Escaped | |
| #1165 | Advance Side Cart, Ajax Cart & Floating Cart for WooCommerce | 36 | 37 | 121 | 6k+ | Non Prefixed Variable Found | |
| #1166 | Zoho ZeptoMail | 36 | 32 | 110 | 5k+ | Missing Unslash | |
| #1167 | TrustMate.io – WooCommerce integration | 36 | 251 | 97 | 3k+ | Output Not Escaped | |
| #1168 | FOMO & Social Proof Notifications by TrustPulse – Best WordPress FOMO Plugin | 36 | 104 | 39 | 10k+ | Output Not Escaped | |
| #1169 | Ubigeo de Perú para Woocommerce y WordPress | 36 | 191 | 235 | 4k+ | Non Prefixed Function Found | |
| #1170 | Uji Countdown | 36 | 284 | 98 | 4k+ | Text Domain Mismatch | |
| #1171 | User Roles and Capabilities | 36 | 227 | 132 | 8k+ | Output Not Escaped | |
| #1172 | Quantity Plus Minus Button for WooCommerce | 36 | 83 | 84 | 10k+ | Output Not Escaped | |
| #1173 | AWPLife Weather Effects | 36 | 19 | 698 | 4k+ | Non Prefixed Variable Found | |
| #1174 | Orders Tracking for WooCommerce | 36 | 8 | 330 | 10k+ | Missing Unslash | |
| #1175 | Extended Coupon Features for WooCommerce FREE | 36 | 219 | 63 | 10k+ | Text Domain Mismatch | |
| #1176 | Hide admin notices – Admin Notification Center | 36 | 114 | 67 | 8k+ | Output Not Escaped | |
| #1177 | WP Coder – Insert & Manage Code Snippets | 36 | 53 | 280 | 10k+ | Recommended | |
| #1178 | WP Header Images | 36 | 174 | 133 | 6k+ | Unsafe Printing Function | |
| #1179 | WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin | 36 | 18 | 146 | 4m+ | Direct Query | |
| #1180 | Payment Button for PayPal | 36 | 155 | 86 | 4k+ | Unsafe Printing Function | |
| #1181 | WP Responsive Menu | 36 | 296 | 144 | 30k+ | Text Domain Mismatch | |
| #1182 | WP Hardening (discontinued) | 36 | 230 | 85 | 10k+ | Text Domain Mismatch | |
| #1183 | WP Show Posts | 36 | 107 | 102 | 70k+ | Output Not Escaped | |
| #1184 | WP Socializer – Simple & Easy Social Media Share Icons | 36 | 214 | 51 | 10k+ | Output Not Escaped | |
| #1185 | WP Sort Order | 36 | 134 | 211 | 6k+ | Direct Query | |
| #1186 | Yandex.Metrica | 36 | 76 | 30 | 60k+ | Output Not Escaped | |
| #1187 | Wppao Sitemap | 36 | 128 | 21 | 9k+ | Output Not Escaped | |
| #1188 | Visual CSS Style Editor | 36 | 283 | 233 | 40k+ | Output Not Escaped | |
| #1189 | Custom Product Tabs for WooCommerce | 36 | 87 | 81 | 80k+ | Output Not Escaped | |
| #1190 | Zarinpal Gateway | 36 | 151 | 55 | 50k+ | Non Singular String Literal Domain | |
| #1191 | Adapta RGPD | 37 | 349 | 72 | 40k+ | Text Domain Mismatch | |
| #1192 | AddToAny Share Buttons | 37 | 123 | 164 | 300k+ | Unsafe Printing Function | |
| #1193 | Add to Cart Redirect for WooCommerce | 37 | 215 | 141 | 8k+ | Text Domain Mismatch | |
| #1194 | Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs | 37 | 40 | 36 | 10k+ | missing direct file access protection | |
| #1195 | Advanced Media Offloader | 37 | 59 | 93 | 5k+ | error log error log | |
| #1196 | Apaczka: integracja z WooCommerce | 37 | 8 | 316 | 3k+ | Non Prefixed Variable Found | |
| #1197 | Login by Auth0 | 37 | 307 | 82 | 10k+ | Text Domain Mismatch | |
| #1198 | Before After Image Comparison Slider for Elementor | 37 | 90 | 41 | 10k+ | Text Domain Mismatch | |
| #1199 | Better Click To Share – Shareable Quote Boxes for X (Twitter) | 37 | 170 | 59 | 6k+ | Unsafe Printing Function | |
| #1200 | Booster Extension | 37 | 28 | 289 | 7k+ | Non Prefixed Variable Found |
