WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1401Accordion FAQ – Compatible With All Page Builder (Elementor, Gutenberg)3146020130k+Non Singular String Literal Domain
#1402Coming Soon Page & Maintenance Mode316132663k+Text Domain Mismatch
#1403Social Share Buttons314621561k+Text Domain Mismatch
#1404Sidebar Manager Light31221761k+Text Domain Mismatch
#1405Simple calendar for Elementor31125270500Direct Query
#1406Smart Keywords Tool – 智能关键词插件3136133600Non Singular String Literal Domain
#1407SmartBill Facturare si Gestiune314211645k+Text Domain Mismatch
#1408SpeedyCache – Cache, Optimization, Performance3165118600k+Input is not validated
#1409Swatchly – Product Variation Swatches for WooCommerce315402145k+Output is not escaped
#1410Team Builder – Team Member Showcase With Grid and slider, Compatible With Elementor, Gutenberg314592827k+Non Singular String Literal Domain
#1411WP Testimonials3118345510k+Non-prefixed global variable
#1412Themify Store Locator31244125500Text Domain Mismatch
#1413Tutor LMS Elementor Addons3122745330k+Non-prefixed global variable
#1414Big File Uploads – Increase Maximum File Upload Size3110192100k+Output is not escaped
#1415Ultimate Posts Widget313098610k+Output is not escaped
#1416User Spam Remover31115141k+Output is not escaped
#1417Blacklist Manager – WooCommerce Anti-Fraud, Blacklist & Checkout Verification312958762k+Missing nonce verification
#1418Web Push Notifications – Webpushr3116929310k+Output is not escaped
#1419Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets31837295100k+Unsafe printing function
#1420Return Refund and Exchange For WooCommerce31247134k+Non-prefixed global variable
#1421WooCommerce Legacy REST API31324177400k+Missing Translators Comment
#1422Tooltips for WordPress313122525k+Output is not escaped
#1423Worldline Global Online Pay for WooCommerce3116086500Missing direct file access protection
#1424Discussion Board – WordPress Forum Plugin311051532k+Request data is not unslashed
#1425WP Easy Uploader31202113500Non Singular String Literal Domain
#1426WP Simple Booking Calendar3133738020k+Output is not escaped
#1427WP Visitor Statistics (Real Time Traffic)3135369120k+Nonce verification recommended
#1428WP ULike – Like & Dislike Buttons for Engagement and Feedback3126935860k+Output is not escaped
#1429WP125311781843k+Unsafe printing function
#1430Hosting Benchmark tool312021154k+rand rand
#1431One to one user Chat by WPGuppy3174187700Non-prefixed global variable
#1432WPDoctor Malware Scanner & Vulnerability Checker & IP blocker with Hack monitor Lite31133438600Non-prefixed global variable
#1433WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA314832172k+Unsafe printing function
#1434Dynamic XML Sitemaps Generator for Google317541120k+Non-prefixed global variable
#1435YAHMAN Add-ons314681411k+Output is not escaped
#1436Zendesk Support for WordPress31195882k+Output is not escaped
#1437ACME Divi Modules3257335400Text Domain Mismatch
#1438Advanced Access Manager – Access Governance for WordPress3284962100k+Output is not escaped
#1439All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier32325102600Missing Arg Domain
#1440annasta Filters for WooCommerce321,0734412k+Text Domain Mismatch
#1441Aqua Page Builder323201143k+Output is not escaped
#1442Author Avatars List/Block32851354k+Non-prefixed hook name
#1443Auto YouTube Importer323381731k+Text Domain Mismatch
#1444Speed Kit32296732k+Output is not escaped
#1445Better Chat Support for Messenger32731031k+Interpolated SQL is not prepared
#1446Better Robots.txt – AI-Ready Crawl Control & Bot Governance3255835k+error log error log
#1447Bosa Elementor Addons and Templates for WooCommerce324016520k+slow db query tax query
#1448BP Classic326642166k+Unsafe printing function
#1449BuddyPress for LearnDash321902841k+Output is not escaped
#1450Quantity Discounts, Breaks & Product Bundles for Woocommerce By Bundler32147319400Direct Query