WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

Add a nonce to the form, link, AJAX request, or REST request.
Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
Keep capability checks separate; nonces prove intent, not permission.

References

WordPress nonces

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Added	Updated	Top Issue
#101	Premium Packages – Sell Digital Products Securely	21	2,765	2,444	3k+	8 years ago	6 months ago	Output is not escaped
#102	Frontend Admin by DynamiApps	22	5,922	3,208	10k+	7 years ago	6 days ago	Text Domain Mismatch
#103	Advanced Classifieds & Directory Pro	22	1,229	3,511	2k+	10 years ago	3 months ago	Non-prefixed global variable
#104	Advanced Form Integration — Connect Forms to 200+ Apps	22	5,771	4,678	10k+	7 years ago	5 days ago	wp function not compatible with requires wp
#105	All-in-One Video Gallery	22	911	2,892	20k+	9 years ago	today	Non-prefixed global variable
#106	Booking for Appointments and Events Calendar – Amelia	22	1,489	480	90k+	8 years ago	5 days ago	Exception output is not escaped
#107	Shortcodes and extra features for Phlox theme	22	413	426	90k+	10 years ago	2 months ago	Output is not escaped
#108	Knowledge Base documentation & wiki plugin – BasePress Docs	22	671	1,767	2k+	9 years ago	5 months ago	Non-prefixed global variable
#109	Borderless – Addons and Templates for Elementor	22	438	1,388	5k+	5 years ago	7 months ago	Non-prefixed global variable
#110	Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots	22	1,604	2,019	10k+	9 years ago	13 days ago	Direct Query
#111	BuddyPress	22	583	9,008	100k+	17 years ago	9 months ago	Non-prefixed function
#112	Better WordPress Minify	22	412	484	8k+	15 years ago	9 years ago	Non Singular String Literal Domain
#113	Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms	22	493	295	10k+	9 years ago	3 months ago	Text Domain Mismatch
#114	Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer	22	2,858	1,270	50k+	9 years ago	2 months ago	Text Domain Mismatch
#115	Code Profiler – WordPress Performance Profiling and Debugging Made Easy	22	265	400	8k+	5 years ago	11 days ago	Non-prefixed global variable
#116	Passster – Password Protect Pages and Content	22	539	1,419	10k+	13 years ago	21 days ago	Non-prefixed global variable
#117	Cozy Blocks – Page Builder for Gutenberg Editor & FSE with 500+ Patterns, 57 Blocks & Templates	22	2,167	4,175	7k+	4 years ago	7 days ago	Non-prefixed global variable
#118	RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login	22	3,654	5,061	8k+	12 years ago	yesterday	Non-prefixed global variable
#119	WP Customer Area	22	3,308	941	10k+	13 years ago	2 months ago	Text Domain Mismatch
#120	SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager	22	705	845	8k+	5 years ago	yesterday	Non-prefixed global variable
#121	Directorist: AI-Powered Business Directory, Listings & Classified Ads	22	443	2,129	20k+	9 years ago	14 days ago	Non-prefixed global variable
#122	Download Manager	22	2,290	1,301	100k+	16 years ago	7 days ago	Output is not escaped
#123	Dynamic QR Code – generator	22	238	208	6k+	4 years ago	1 year ago	Missing direct file access protection
#124	E2Pdf – Export Pdf Tool for WordPress	22	1,075	836	10k+	8 years ago	7 days ago	Unsafe printing function
#125	Easy Social Feed – Social Photos Gallery and Post Feed for WordPress	22	1,567	1,277	30k+	12 years ago	2 months ago	Non-prefixed global variable
#126	Estatik Real Estate Plugin	22	3,049	325	10k+	11 years ago	10 days ago	Text Domain Mismatch
#127	Events Manager – Calendar, Bookings, Tickets, and more!	22	4,722	5,621	70k+	18 years ago	4 days ago	Output is not escaped
#128	Falang multilanguage for WordPress	22	716	769	1k+	7 years ago	12 days ago	Output is not escaped
#129	File Manager Pro – Filester	22	565	391	100k+	6 years ago	1 month ago	Request data is not unslashed
#130	Finale Lite – Sales Countdown Timer & Discount for WooCommerce	22	1,031	451	4k+	9 years ago	1 year ago	Output is not escaped
#131	FireBox Popups – Increase Sales and Grow Your Email List	22	153	812	7k+	5 years ago	8 days ago	Non-prefixed global variable
#132	Notification Bar, Announcement and Cookie Notice WordPress Plugin – FooBar	22	1,321	1,371	3k+	15 years ago	1 month ago	Non-prefixed global variable
#133	Five Star Restaurant Menu and Food Ordering	22	752	609	5k+	13 years ago	20 days ago	Output is not escaped
#134	FunnelKit Payment Gateway for Stripe WooCommerce	22	244	321	20k+	3 years ago	1 month ago	Input is not sanitized
#135	GeoDirectory – WP Business Directory Plugin and Classified Listings Directory	22	4,462	3,972	10k+	12 years ago	13 days ago	Output is not escaped
#136	Anti-Malware Security and Brute-Force Firewall	22	544	965	100k+	14 years ago	4 months ago	Output is not escaped
#137	Gutenberg	22	628	342	300k+	9 years ago	6 days ago	Missing direct file access protection
#138	Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms	22	1,037	722	20k+	8 years ago	27 days ago	Unsafe printing function
#139	HeadSpace2 SEO	22	940	360	3k+	19 years ago	9 years ago	Text Domain Mismatch
#140	Csomagpontok és Címkék WooCommerce-hez	22	2,001	769	7k+	5 years ago	20 days ago	Text Domain Mismatch
#141	IMPress for IDX Broker	22	1,085	636	7k+	14 years ago	2 months ago	Text Domain Mismatch
#142	Számlázz.hu integráció WooCommerce-hez	22	1,169	460	7k+	10 years ago	23 days ago	Text Domain Mismatch
#143	InfiniteWP Client	22	2,286	1,812	200k+	14 years ago	4 months ago	Exception output is not escaped
#144	Import WP – Export and Import CSV and XML files to WordPress	22	580	330	4k+	12 years ago	2 months ago	Exception output is not escaped
#145	LearnPress – WordPress LMS Plugin for Create and Sell Online Courses	22	2,361	3,384	70k+	11 years ago	6 days ago	Non-prefixed global variable
#146	Leyka	22	253	3,445	2k+	13 years ago	2 months ago	Request data is not unslashed
#147	Custom Login Page Customizer – Login Designer	22	588	1,455	30k+	9 years ago	7 months ago	Non-prefixed global variable
#148	MailOptin – Popup, Optin Forms & Email Newsletters for Mailchimp, HubSpot, AWeber Etc.	22	2,619	2,453	10k+	9 years ago	4 days ago	Output is not escaped
#149	Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider	22	207	323	500k+	13 years ago	12 days ago	Non-prefixed global variable
#150	Modula Image Gallery – Photo Grid & Video Gallery	22	474	436	100k+	11 years ago	7 days ago	Text Domain Mismatch