WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1551 | WP Content Copy Protection with Color Design | 38 | 96 | 61 | 5k+ | Non Singular String Literal Domain | |
| #1552 | Real-Time Post Statistics for WordPress | 38 | 63 | 68 | 2k+ | Not Prepared | |
| #1553 | External Store for Shopify | 38 | 97 | 33 | 2k+ | Output Not Escaped | |
| #1554 | WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups | 38 | 299 | 58 | 3k+ | Non Singular String Literal Domain | |
| #1555 | Dynamic XML Sitemaps Generator for Google | 38 | 74 | 133 | 20k+ | Missing Unslash | |
| #1556 | Zoho Campaigns | 38 | 3 | 129 | 3k+ | Non Prefixed Variable Found | |
| #1557 | ACF: Google Font Selector | 39 | 57 | 45 | 3k+ | Output Not Escaped | |
| #1558 | Add Tiktok Pixel for Tiktok ads (+Woocommerce) | 39 | 97 | 26 | 2k+ | Output Not Escaped | |
| #1559 | Advanced Product Fields (Product Addons) for WooCommerce | 39 | 145 | 145 | 50k+ | Output Not Escaped | |
| #1560 | Advanced Woo Labels – Product Labels & Badges for WooCommerce | 39 | 172 | 122 | 10k+ | Output Not Escaped | |
| #1561 | Accessibility by AllAccessible | 39 | 200 | 82 | 2k+ | Unsafe Printing Function | |
| #1562 | Timeline – Vertical and Horizontal Timeline Layouts | 39 | 500 | 43 | 2k+ | Output Not Escaped | |
| #1563 | Better Search Replace | 39 | 96 | 43 | 1m+ | Unsafe Printing Function | |
| #1564 | Billplz for WooCommerce | 39 | 289 | 65 | 6k+ | Text Domain Mismatch | |
| #1565 | Birds Custom Login | 39 | 196 | 23 | 4k+ | Non Singular String Literal Domain | |
| #1566 | Bogo | 39 | 30 | 139 | 10k+ | Missing Unslash | |
| #1567 | BugSnag Error Monitoring plugin | 39 | 52 | 96 | 2k+ | wp function not compatible with requires wp | |
| #1568 | Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO) | 39 | 17 | 50 | 10k+ | Missing Unslash | |
| #1569 | Bulk NoIndex & NoFollow Toolkit | 39 | 72 | 172 | 2k+ | Recommended | |
| #1570 | Configurable Tag Cloud (CTC) | 39 | 126 | 121 | 2k+ | Output Not Escaped | |
| #1571 | Contact Form 7 – Dynamic Text Extension | 39 | 103 | 28 | 100k+ | Output Not Escaped | |
| #1572 | Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR) | 39 | 28 | 45 | 80k+ | Missing | |
| #1573 | Country & Phone Field Contact Form 7 | 39 | 117 | 34 | 40k+ | Text Domain Mismatch | |
| #1574 | DefendWP Firewall | 39 | 16 | 203 | 3k+ | Non Prefixed Variable Found | |
| #1575 | Donation Thermometer | 39 | 718 | 84 | 2k+ | Output Not Escaped | |
| #1576 | Export All URLs | 39 | 151 | 45 | 50k+ | Non Singular String Literal Domain | |
| #1577 | BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress | 39 | 480 | 226 | 4k+ | Text Domain Mismatch | |
| #1578 | Faster Image Insert | 39 | 94 | 26 | 2k+ | Output Not Escaped | |
| #1579 | Genesis Dambuster | 39 | 94 | 67 | 3k+ | Output Not Escaped | |
| #1580 | Gift Up Gift Cards for WordPress and WooCommerce | 39 | 94 | 60 | 5k+ | Output Not Escaped | |
| #1581 | Prisna GWT – Google Website Translator | 39 | 117 | 77 | 8k+ | Text Domain Mismatch | |
| #1582 | GoSMTP – SMTP for WordPress | 39 | 59 | 42 | 500k+ | Output Not Escaped | |
| #1583 | Graphina – Charts and Graphs For Elementor | 39 | 1,895 | 113 | 10k+ | Text Domain Mismatch | |
| #1584 | Gravity Slider Fields | 39 | 56 | 36 | 2k+ | Text Domain Mismatch | |
| #1585 | HD Quiz | 39 | 252 | 81 | 7k+ | Output Not Escaped | |
| #1586 | Maintenance Mode | 39 | 86 | 109 | 7k+ | Output Not Escaped | |
| #1587 | hpb seo plugin for WordPress | 39 | 15 | 87 | 2k+ | Non Prefixed Variable Found | |
| #1588 | If Menu – Visibility control for Menus | 39 | 281 | 63 | 50k+ | Output Not Escaped | |
| #1589 | S2W – Import Shopify to WooCommerce | 39 | 8 | 132 | 3k+ | Missing Unslash | |
| #1590 | Improved Save Button | 39 | 44 | 52 | 4k+ | Missing Translators Comment | |
| #1591 | Insert Html Snippet | 39 | 159 | 205 | 20k+ | Output Not Escaped | |
| #1592 | JetGridBuilder — Grid Builder for Elementor and Gutenberg | 39 | 414 | 40 | 4k+ | Text Domain Mismatch | |
| #1593 | Leaflet Map | 39 | 59 | 32 | 30k+ | Output Not Escaped | |
| #1594 | LH Add Media From Url | 39 | 42 | 26 | 2k+ | Output Not Escaped | |
| #1595 | LuckyWP Table of Contents | 39 | 438 | 62 | 100k+ | Output Not Escaped | |
| #1596 | Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid | 39 | 65 | 72 | 6k+ | block api version too low | |
| #1597 | Mail Subscribe List | 39 | 17 | 94 | 3k+ | Input Not Validated | |
| #1598 | MC4WP: Mailchimp for WordPress | 39 | 1 | 294 | 1m+ | Non Prefixed Variable Found | |
| #1599 | Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin | 39 | 1 | 395 | 3k+ | Input Not Sanitized | |
| #1600 | Markup by Attribute for WooCommerce | 39 | 46 | 102 | 2k+ | Direct Query |
