WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1401 | Accordion FAQ – Compatible With All Page Builder (Elementor, Gutenberg) | 31 | 460 | 201 | 30k+ | Non Singular String Literal Domain | ||
| #1402 | Coming Soon Page & Maintenance Mode | 31 | 613 | 266 | 3k+ | Text Domain Mismatch | ||
| #1403 | Social Share Buttons | 31 | 462 | 156 | 1k+ | Text Domain Mismatch | ||
| #1404 | Sidebar Manager Light | 31 | 221 | 76 | 1k+ | Text Domain Mismatch | ||
| #1405 | Simple calendar for Elementor | 31 | 125 | 270 | 500 | Direct Query | ||
| #1406 | Smart Keywords Tool – 智能关键词插件 | 31 | 361 | 33 | 600 | Non Singular String Literal Domain | ||
| #1407 | SmartBill Facturare si Gestiune | 31 | 421 | 164 | 5k+ | Text Domain Mismatch | ||
| #1408 | SpeedyCache – Cache, Optimization, Performance | 31 | 65 | 118 | 600k+ | Input is not validated | ||
| #1409 | Swatchly – Product Variation Swatches for WooCommerce | 31 | 540 | 214 | 5k+ | Output is not escaped | ||
| #1410 | Team Builder – Team Member Showcase With Grid and slider, Compatible With Elementor, Gutenberg | 31 | 459 | 282 | 7k+ | Non Singular String Literal Domain | ||
| #1411 | WP Testimonials | 31 | 183 | 455 | 10k+ | Non-prefixed global variable | ||
| #1412 | Themify Store Locator | 31 | 244 | 125 | 500 | Text Domain Mismatch | ||
| #1413 | Tutor LMS Elementor Addons | 31 | 227 | 453 | 30k+ | Non-prefixed global variable | ||
| #1414 | Big File Uploads – Increase Maximum File Upload Size | 31 | 101 | 92 | 100k+ | Output is not escaped | ||
| #1415 | Ultimate Posts Widget | 31 | 309 | 86 | 10k+ | Output is not escaped | ||
| #1416 | User Spam Remover | 31 | 115 | 14 | 1k+ | Output is not escaped | ||
| #1417 | Blacklist Manager – WooCommerce Anti-Fraud, Blacklist & Checkout Verification | 31 | 295 | 876 | 2k+ | Missing nonce verification | ||
| #1418 | Web Push Notifications – Webpushr | 31 | 169 | 293 | 10k+ | Output is not escaped | ||
| #1419 | Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets | 31 | 837 | 295 | 100k+ | Unsafe printing function | ||
| #1420 | Return Refund and Exchange For WooCommerce | 31 | 24 | 713 | 4k+ | Non-prefixed global variable | ||
| #1421 | WooCommerce Legacy REST API | 31 | 324 | 177 | 400k+ | Missing Translators Comment | ||
| #1422 | Tooltips for WordPress | 31 | 312 | 252 | 5k+ | Output is not escaped | ||
| #1423 | Worldline Global Online Pay for WooCommerce | 31 | 160 | 86 | 500 | Missing direct file access protection | ||
| #1424 | Discussion Board – WordPress Forum Plugin | 31 | 105 | 153 | 2k+ | Request data is not unslashed | ||
| #1425 | WP Easy Uploader | 31 | 202 | 113 | 500 | Non Singular String Literal Domain | ||
| #1426 | WP Simple Booking Calendar | 31 | 337 | 380 | 20k+ | Output is not escaped | ||
| #1427 | WP Visitor Statistics (Real Time Traffic) | 31 | 353 | 691 | 20k+ | Nonce verification recommended | ||
| #1428 | WP ULike – Like & Dislike Buttons for Engagement and Feedback | 31 | 269 | 358 | 60k+ | Output is not escaped | ||
| #1429 | WP125 | 31 | 178 | 184 | 3k+ | Unsafe printing function | ||
| #1430 | Hosting Benchmark tool | 31 | 202 | 115 | 4k+ | rand rand | ||
| #1431 | One to one user Chat by WPGuppy | 31 | 74 | 187 | 700 | Non-prefixed global variable | ||
| #1432 | WPDoctor Malware Scanner & Vulnerability Checker & IP blocker with Hack monitor Lite | 31 | 133 | 438 | 600 | Non-prefixed global variable | ||
| #1433 | WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA | 31 | 483 | 217 | 2k+ | Unsafe printing function | ||
| #1434 | Dynamic XML Sitemaps Generator for Google | 31 | 75 | 411 | 20k+ | Non-prefixed global variable | ||
| #1435 | YAHMAN Add-ons | 31 | 468 | 141 | 1k+ | Output is not escaped | ||
| #1436 | Zendesk Support for WordPress | 31 | 195 | 88 | 2k+ | Output is not escaped | ||
| #1437 | ACME Divi Modules | 32 | 573 | 35 | 400 | Text Domain Mismatch | ||
| #1438 | Advanced Access Manager – Access Governance for WordPress | 32 | 849 | 62 | 100k+ | Output is not escaped | ||
| #1439 | All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier | 32 | 325 | 102 | 600 | Missing Arg Domain | ||
| #1440 | annasta Filters for WooCommerce | 32 | 1,073 | 441 | 2k+ | Text Domain Mismatch | ||
| #1441 | Aqua Page Builder | 32 | 320 | 114 | 3k+ | Output is not escaped | ||
| #1442 | Author Avatars List/Block | 32 | 85 | 135 | 4k+ | Non-prefixed hook name | ||
| #1443 | Auto YouTube Importer | 32 | 338 | 173 | 1k+ | Text Domain Mismatch | ||
| #1444 | Speed Kit | 32 | 296 | 73 | 2k+ | Output is not escaped | ||
| #1445 | Better Chat Support for Messenger | 32 | 73 | 103 | 1k+ | Interpolated SQL is not prepared | ||
| #1446 | Better Robots.txt – AI-Ready Crawl Control & Bot Governance | 32 | 55 | 83 | 5k+ | error log error log | ||
| #1447 | Bosa Elementor Addons and Templates for WooCommerce | 32 | 40 | 165 | 20k+ | slow db query tax query | ||
| #1448 | BP Classic | 32 | 664 | 216 | 6k+ | Unsafe printing function | ||
| #1449 | BuddyPress for LearnDash | 32 | 190 | 284 | 1k+ | Output is not escaped | ||
| #1450 | Quantity Discounts, Breaks & Product Bundles for Woocommerce By Bundler | 32 | 147 | 319 | 400 | Direct Query |