WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1651 | Open Graphite | 38 | 380 | 204 | 3k+ | Unsafe printing function | ||
| #1652 | Permalink Manager Lite | 38 | 29 | 178 | 100k+ | Nonce verification recommended | ||
| #1653 | Remove WordPress Overhead | 38 | 64 | 47 | 1k+ | Text Domain Mismatch | ||
| #1654 | WP REST API – OAuth 1.0a Server | 38 | 100 | 85 | 8k+ | Text Domain Mismatch | ||
| #1655 | Like This | 38 | 60 | 17 | 1k+ | Output is not escaped | ||
| #1656 | RSS Feed Widget | 38 | 207 | 89 | 2k+ | Unsafe printing function | ||
| #1657 | Schema App Structured Data | 38 | 35 | 86 | 7k+ | Nonce verification recommended | ||
| #1658 | Author Image | 38 | 51 | 33 | 1k+ | Output is not escaped | ||
| #1659 | Shapely Companion | 38 | 49 | 39 | 10k+ | Output is not escaped | ||
| #1660 | Simple JWT Login – Allows you to use JWT on REST endpoints. | 38 | 712 | 95 | 4k+ | Output is not escaped | ||
| #1661 | Simple Keyword to Link | 38 | 90 | 49 | 3k+ | Non Singular String Literal Domain | ||
| #1662 | SimpleShop | 38 | 52 | 50 | 1k+ | date date | ||
| #1663 | Social Icons | 38 | 72 | 83 | 10k+ | Output is not escaped | ||
| #1664 | SOGO Accessibility | 38 | 147 | 40 | 5k+ | Non Singular String Literal Domain | ||
| #1665 | Sticky Header Effects for Elementor | 38 | 243 | 71 | 300k+ | Text Domain Mismatch | ||
| #1666 | Sync Post With Other Site | 38 | 179 | 24 | 3k+ | Non Singular String Literal Domain | ||
| #1667 | Tag Manager – Header, Body And Footer | 38 | 97 | 319 | 20k+ | Non-prefixed global variable | ||
| #1668 | Variation Swatches for WooCommerce – Color, Image & Button Swatches | 38 | 45 | 64 | 2k+ | Output is not escaped | ||
| #1669 | TinyPNG – JPEG, PNG & WebP image compression | 38 | 196 | 141 | 100k+ | Output is not escaped | ||
| #1670 | Twenty Eleven Theme Extensions | 38 | 35 | 30 | 3k+ | Output is not escaped | ||
| #1671 | Twitter for WordPress | 38 | 47 | 24 | 1k+ | Output is not escaped | ||
| #1672 | TypePad emoji for TinyMCE | 38 | 100 | 24 | 8k+ | Text Domain Mismatch | ||
| #1673 | Termly – GDPR/CCPA Cookie Consent Banner | 38 | 54 | 92 | 80k+ | Non-prefixed global variable | ||
| #1674 | Unconfirmed | 38 | 20 | 79 | 1k+ | Nonce verification recommended | ||
| #1675 | Use Any Font | Custom Font Uploader | 38 | 37 | 53 | 200k+ | Request data is not unslashed | ||
| #1676 | User Specific Content | 38 | 143 | 19 | 1k+ | Text Domain Mismatch | ||
| #1677 | FancyTube – Video Gallery, Video Slider, and Playlist Slider for YouTube | 38 | 358 | 34 | 1k+ | Text Domain Mismatch | ||
| #1678 | W2S – Migrate WooCommerce to Shopify | 38 | 33 | 132 | 1k+ | Non-prefixed global variable | ||
| #1679 | SSLCommerz Payment Gateway | 38 | 21 | 132 | 2k+ | Non-prefixed global variable | ||
| #1680 | WholesaleX – B2B & Wholesale Plugin for WooCommerce with Wholesale Prices | 38 | 40 | 180 | 2k+ | Non-prefixed global variable | ||
| #1681 | WPC Frequently Bought Together for WooCommerce | 38 | 80 | 162 | 10k+ | Output is not escaped | ||
| #1682 | Vietnam Checkout for WooCommerce | 38 | 93 | 137 | 10k+ | Nonce verification recommended | ||
| #1683 | WP Accessibility Helper (WAH) | 38 | 61 | 88 | 10k+ | Missing direct file access protection | ||
| #1684 | WP Content Copy Protection with Color Design | 38 | 96 | 61 | 5k+ | Non Singular String Literal Domain | ||
| #1685 | Real-Time Post Statistics for WordPress | 38 | 63 | 68 | 2k+ | SQL query is not prepared | ||
| #1686 | External Store for Shopify | 38 | 97 | 33 | 2k+ | Output is not escaped | ||
| #1687 | WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups | 38 | 299 | 58 | 3k+ | Non Singular String Literal Domain | ||
| #1688 | Zoho Campaigns | 38 | 3 | 129 | 3k+ | Non-prefixed global variable | ||
| #1689 | ACF: Google Font Selector | 39 | 57 | 45 | 3k+ | Output is not escaped | ||
| #1690 | Add Tiktok Pixel for Tiktok ads (+Woocommerce) | 39 | 94 | 25 | 2k+ | Output is not escaped | ||
| #1691 | Advanced Product Fields (Product Addons) for WooCommerce | 39 | 145 | 145 | 50k+ | Output is not escaped | ||
| #1692 | Advanced Woo Labels – Product Labels & Badges for WooCommerce | 39 | 172 | 122 | 10k+ | Output is not escaped | ||
| #1693 | Accessibility by AllAccessible | 39 | 200 | 82 | 2k+ | Unsafe printing function | ||
| #1694 | Archive Control | 39 | 151 | 67 | 1k+ | Unsafe printing function | ||
| #1695 | Timeline – Vertical and Horizontal Timeline Layouts | 39 | 500 | 43 | 2k+ | Output is not escaped | ||
| #1696 | Better Search Replace | 39 | 96 | 43 | 1m+ | Unsafe printing function | ||
| #1697 | Billplz for WooCommerce | 39 | 289 | 65 | 6k+ | Text Domain Mismatch | ||
| #1698 | Birds Custom Login | 39 | 196 | 23 | 4k+ | Non Singular String Literal Domain | ||
| #1699 | Bogo | 39 | 30 | 139 | 10k+ | Request data is not unslashed | ||
| #1700 | BugSnag Error Monitoring plugin | 39 | 52 | 96 | 2k+ | wp function not compatible with requires wp |
