WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1501 | Redirectioner | 37 | 234 | 410 | 1k+ | Output is not escaped | |
| #1502 | Adapta RGPD | 37 | 349 | 72 | 40k+ | Text Domain Mismatch | |
| #1503 | AddToAny Share Buttons | 37 | 123 | 164 | 300k+ | Unsafe printing function | |
| #1504 | Add to Cart Redirect for WooCommerce | 37 | 215 | 141 | 8k+ | Text Domain Mismatch | |
| #1505 | Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs | 37 | 40 | 36 | 10k+ | Missing direct file access protection | |
| #1506 | PiWeb Advanced Flat rate / Conditional shipping for WooCommerce | 37 | 84 | 192 | 2k+ | wp function not compatible with requires wp | |
| #1507 | Advanced Media Offloader | 37 | 59 | 93 | 5k+ | error log error log | |
| #1508 | Anything Popup | 37 | 164 | 185 | 2k+ | Non-prefixed global variable | |
| #1509 | Apaczka: integracja z WooCommerce | 37 | 8 | 316 | 3k+ | Non-prefixed global variable | |
| #1510 | Login by Auth0 | 37 | 307 | 82 | 10k+ | Text Domain Mismatch | |
| #1511 | Banhammer – Monitor Site Traffic, Block Bad Users and Bots | 37 | 104 | 174 | 1k+ | Output is not escaped | |
| #1512 | Custom Thank You Page Customize For WooCommerce by Binary Carpenter | 37 | 45 | 80 | 2k+ | error log error log | |
| #1513 | Before After Image Comparison Slider for Elementor | 37 | 90 | 41 | 10k+ | Text Domain Mismatch | |
| #1514 | Better Click To Share – Shareable Quote Boxes for X (Twitter) | 37 | 170 | 59 | 6k+ | Unsafe printing function | |
| #1515 | Booster Extension | 37 | 28 | 289 | 7k+ | Non-prefixed global variable | |
| #1516 | Britetechs Companion | 37 | 966 | 613 | 2k+ | Text Domain Mismatch | |
| #1517 | CDEKDelivery | 37 | 98 | 75 | 2k+ | Exception output is not escaped | |
| #1518 | Clearpay Gateway for WooCommerce | 37 | 185 | 63 | 1k+ | Text Domain Mismatch | |
| #1519 | ClickCease Click Fraud Protection | 37 | 30 | 58 | 10k+ | Non-prefixed class | |
| #1520 | ClickRank – Ai SEO Automation | 37 | 10 | 226 | 1k+ | Direct Query | |
| #1521 | CorvusPay WooCommerce Payment Gateway | 37 | 29 | 141 | 1k+ | Missing nonce verification | |
| #1522 | Simple Custom CSS and JS | 37 | 168 | 69 | 600k+ | Output is not escaped | |
| #1523 | Custom Post Template | 37 | 48 | 30 | 10k+ | Output is not escaped | |
| #1524 | Debug Log Manager Tool | 37 | 33 | 108 | 3k+ | Nonce verification recommended | |
| #1525 | Disclaimer Popup | 37 | 313 | 53 | 1k+ | Text Domain Mismatch | |
| #1526 | Duo Two-Factor Authentication | 37 | 44 | 61 | 3k+ | Missing nonce verification | |
| #1527 | Pricing Table WordPress Plugin – Easy Pricing Tables | 37 | 332 | 161 | 10k+ | Output is not escaped | |
| #1528 | Email Encoder – Protect Email Addresses and Phone Numbers | 37 | 10 | 150 | 90k+ | Non-prefixed global variable | |
| #1529 | Facturare WooCommerce | 37 | 158 | 106 | 3k+ | Text Domain Mismatch | |
| #1530 | Favorites | 37 | 204 | 121 | 10k+ | Unsafe printing function | |
| #1531 | Gmail SMTP | 37 | 84 | 73 | 10k+ | Unsafe printing function | |
| #1532 | HandL UTM Grabber / Tracker | 37 | 27 | 141 | 10k+ | Missing nonce verification | |
| #1533 | HT Menu – WordPress Mega Menu Builder for Elementor | 37 | 300 | 60 | 3k+ | Text Domain Mismatch | |
| #1534 | WP All Import – Import SEO Settings for Rank Math SEO | 37 | 40 | 51 | 7k+ | Nonce verification recommended | |
| #1535 | Job Manager & Career – Manage job board listings, and recruitments | 37 | 112 | 205 | 2k+ | Missing nonce verification | |
| #1536 | JS Help Desk – AI-Powered Support & Ticketing System | 37 | 17 | 406 | 7k+ | Missing nonce verification | |
| #1537 | JVM Rich Text Icons | 37 | 86 | 34 | 3k+ | Output is not escaped | |
| #1538 | LearnPress – Course Review | 37 | 67 | 43 | 20k+ | Output is not escaped | |
| #1539 | LH Archived Post Status | 37 | 150 | 64 | 3k+ | Text Domain Mismatch | |
| #1540 | PiWeb Live sales notification for WooCommerce | 37 | 289 | 77 | 30k+ | Text Domain Mismatch | |
| #1541 | LiveJournal Importer | 37 | 86 | 67 | 8k+ | Output is not escaped | |
| #1542 | MailMunch – Grow your Email List | 37 | 82 | 84 | 6k+ | Output is not escaped | |
| #1543 | Maintenance Page | 37 | 62 | 33 | 3k+ | Output is not escaped | |
| #1544 | Max Mega Menu | 37 | 249 | 174 | 300k+ | Output is not escaped | |
| #1545 | Meks Video Importer | 37 | 62 | 239 | 2k+ | Input is not sanitized | |
| #1546 | Metorik – Reports & Email Automation for WooCommerce | 37 | 75 | 70 | 10k+ | Output is not escaped | |
| #1547 | Monobank WP Payment | 37 | 78 | 41 | 1k+ | Text Domain Mismatch | |
| #1548 | WP All Export – Order Export for WooCommerce | 37 | 109 | 111 | 3k+ | Text Domain Mismatch | |
| #1549 | Page scroll to id | 37 | 38 | 120 | 100k+ | Missing nonce verification | |
| #1550 | PNG to JPG | 37 | 130 | 173 | 9k+ | Interpolated SQL is not prepared |
