WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1201 | Di Themes Demo Site Importer | 29 | 343 | 183 | 1k+ | Text Domain Mismatch | ||
| #1202 | Document Gallery | 29 | 183 | 98 | 8k+ | Output is not escaped | ||
| #1203 | DoLogin Security | 29 | 312 | 305 | 7k+ | Output is not escaped | ||
| #1204 | Interactive Image Map Plugin – Draw Attention | 29 | 620 | 227 | 20k+ | Output is not escaped | ||
| #1205 | Everest Toolkit | 29 | 145 | 141 | 1k+ | Missing Translators Comment | ||
| #1206 | Advanced Shipping Rates for WooCommerce: Flexible Table Rate Shipping Rules | 29 | 185 | 504 | 2k+ | Non-prefixed global variable | ||
| #1207 | FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider | 29 | 74 | 78 | 600k+ | Missing Translators Comment | ||
| #1208 | Getwid – Gutenberg Blocks | 29 | 139 | 173 | 50k+ | Non-prefixed global variable | ||
| #1209 | Gianism | 29 | 395 | 154 | 700 | Text Domain Mismatch | ||
| #1210 | reCaptcha by BestWebSoft | 29 | 474 | 272 | 100k+ | Text Domain Mismatch | ||
| #1211 | Interactive World Map | 29 | 684 | 341 | 1k+ | Text Domain Mismatch | ||
| #1212 | Wishlist for WooCommerce | 29 | 610 | 296 | 600 | Output is not escaped | ||
| #1213 | Kits, Templates and Patterns | 29 | 380 | 91 | 5k+ | Text Domain Mismatch | ||
| #1214 | Laposta WooCommerce | 29 | 96 | 115 | 500 | Non-prefixed global variable | ||
| #1215 | Liteweight Podcast – Host and Embed Podcast Episodes | 29 | 536 | 239 | 500 | Output is not escaped | ||
| #1216 | Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress | 29 | 86 | 233 | 500 | Nonce verification recommended | ||
| #1217 | Music Player for WooCommerce | 29 | 106 | 155 | 1k+ | Non-prefixed global variable | ||
| #1218 | MyWorks Sync for WooCommerce & Xero | 29 | 1 | 1,080 | 800 | Non-prefixed global variable | ||
| #1219 | Offload Media – Cloud Storage | 29 | 126 | 80 | 1k+ | unlink unlink | ||
| #1220 | Page Restrict for WooCommerce | 29 | 579 | 374 | 700 | Text Domain Mismatch | ||
| #1221 | Page View Count | 29 | 108 | 247 | 10k+ | Dynamic hook name | ||
| #1222 | PhastPress | 29 | 95 | 52 | 10k+ | Exception output is not escaped | ||
| #1223 | PlatiOnline Payments | 29 | 304 | 110 | 700 | Output is not escaped | ||
| #1224 | Post Timeline | 29 | 91 | 200 | 800 | Missing nonce verification | ||
| #1225 | Post Views Counter | 29 | 179 | 398 | 200k+ | Non-prefixed hook name | ||
| #1226 | Pósturinn\'s Shipping with WooCommerce | 29 | 713 | 551 | 500 | Text Domain Mismatch | ||
| #1227 | Recipe Card Blocks Lite | 29 | 151 | 408 | 10k+ | Non-prefixed global variable | ||
| #1228 | Relevant – Related, Featured, Latest, and Popular Posts by BestWebSoft | 29 | 487 | 262 | 800 | Text Domain Mismatch | ||
| #1229 | Responder | 29 | 77 | 185 | 3k+ | Non-prefixed global variable | ||
| #1230 | SamedayCourier Shipping | 29 | 336 | 269 | 4k+ | Non Singular String Literal Domain | ||
| #1231 | Security Ninja – WordPress Security & Firewall | 29 | 149 | 347 | 7k+ | Direct Query | ||
| #1232 | Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce | 29 | 148 | 246 | 5k+ | Unsafe printing function | ||
| #1233 | Slider by BestWebSoft | 29 | 478 | 336 | 400 | Text Domain Mismatch | ||
| #1234 | Social Engine | 29 | 133 | 90 | 600 | Exception output is not escaped | ||
| #1235 | SQLite Database Integration | 29 | 161 | 89 | 3k+ | Exception output is not escaped | ||
| #1236 | BuddyPress Builder for Elementor – BuddyBuilder | 29 | 348 | 329 | 1k+ | Text Domain Mismatch | ||
| #1237 | ووسلام – همگام سازی ووکامرس و باسلام | 29 | 192 | 611 | 4k+ | Non-prefixed global variable | ||
| #1238 | Tabs Responsive – With WooCommerce Product Tabs Extension | 29 | 577 | 255 | 20k+ | Non Singular String Literal Domain | ||
| #1239 | Themify Popup | 29 | 232 | 108 | 8k+ | Text Domain Mismatch | ||
| #1240 | Themify – WooCommerce Product Filter | 29 | 643 | 145 | 20k+ | Output is not escaped | ||
| #1241 | Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX | 29 | 135 | 400 | 40k+ | Non-prefixed global variable | ||
| #1242 | User Verification by PickPlugins | 29 | 41 | 314 | 5k+ | Request data is not unslashed | ||
| #1243 | Visualizer – Tables & Charts Manager with Built-in AI Generator | 29 | 348 | 331 | 20k+ | Output is not escaped | ||
| #1244 | Custom Post Types and Custom Fields creator – WCK | 29 | 1,300 | 143 | 10k+ | Text Domain Mismatch | ||
| #1245 | Wenprise Alipay Gateway For WooCommerce | 29 | 113 | 68 | 700 | Exception output is not escaped | ||
| #1246 | Countdown Timer – Widget Countdown | 29 | 290 | 152 | 10k+ | Output is not escaped | ||
| #1247 | Widget for Yelp Reviews | 29 | 147 | 158 | 2k+ | Output is not escaped | ||
| #1248 | Product Carousel Slider & Grid Ultimate for WooCommerce | 29 | 719 | 122 | 6k+ | Text Domain Mismatch | ||
| #1249 | Global Payments SecureSubmit Gateway | 29 | 199 | 443 | 600 | Non-prefixed class | ||
| #1250 | Woostify Sites Library | 29 | 229 | 198 | 20k+ | Text Domain Mismatch |
