WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1701 | Bulk NoIndex & NoFollow Toolkit | 39 | 72 | 172 | 2k+ | Nonce verification recommended | ||
| #1702 | Calculator Builder – Create an Online Calculator | 39 | 16 | 221 | 1k+ | Non-prefixed global variable | ||
| #1703 | Configurable Tag Cloud (CTC) | 39 | 126 | 121 | 2k+ | Output is not escaped | ||
| #1704 | Constant Contact + WooCommerce | 39 | 27 | 91 | 1k+ | Nonce verification recommended | ||
| #1705 | Contact Form 7 – Dynamic Text Extension | 39 | 103 | 28 | 100k+ | Output is not escaped | ||
| #1706 | Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR) | 39 | 28 | 45 | 80k+ | Missing nonce verification | ||
| #1707 | Country & Phone Field Contact Form 7 | 39 | 117 | 34 | 40k+ | Text Domain Mismatch | ||
| #1708 | Culqi | 39 | 571 | 88 | 1k+ | Text Domain Mismatch | ||
| #1709 | Debug Log Viewer | 39 | 24 | 95 | 1k+ | Non-prefixed global variable | ||
| #1710 | DefendWP Firewall | 39 | 16 | 203 | 3k+ | Non-prefixed global variable | ||
| #1711 | Donation Thermometer | 39 | 718 | 84 | 2k+ | Output is not escaped | ||
| #1712 | ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor | 39 | 73 | 348 | 1m+ | Non-prefixed global variable | ||
| #1713 | Export All URLs | 39 | 151 | 45 | 50k+ | Non Singular String Literal Domain | ||
| #1714 | BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress | 39 | 480 | 226 | 4k+ | Text Domain Mismatch | ||
| #1715 | Faster Image Insert | 39 | 94 | 26 | 2k+ | Output is not escaped | ||
| #1716 | First Order Discount Woocommerce | 39 | 55 | 30 | 1k+ | Output is not escaped | ||
| #1717 | Genesis Dambuster | 39 | 94 | 67 | 3k+ | Output is not escaped | ||
| #1718 | Gift Up Gift Cards for WordPress and WooCommerce | 39 | 94 | 60 | 5k+ | Output is not escaped | ||
| #1719 | Prisna GWT – Google Website Translator | 39 | 117 | 77 | 8k+ | Text Domain Mismatch | ||
| #1720 | GoSMTP – SMTP for WordPress | 39 | 59 | 42 | 500k+ | Output is not escaped | ||
| #1721 | Graphina – Charts and Graphs For Elementor | 39 | 1,895 | 113 | 10k+ | Text Domain Mismatch | ||
| #1722 | Gravity Slider Fields | 39 | 56 | 36 | 2k+ | Text Domain Mismatch | ||
| #1723 | HD Quiz | 39 | 252 | 81 | 7k+ | Output is not escaped | ||
| #1724 | Maintenance Mode | 39 | 86 | 109 | 7k+ | Output is not escaped | ||
| #1725 | hpb seo plugin for WordPress | 39 | 15 | 87 | 2k+ | Non-prefixed global variable | ||
| #1726 | If Menu – Visibility control for Menus | 39 | 281 | 63 | 50k+ | Output is not escaped | ||
| #1727 | S2W – Import Shopify to WooCommerce | 39 | 8 | 132 | 3k+ | Request data is not unslashed | ||
| #1728 | Improved Save Button | 39 | 44 | 52 | 4k+ | Missing Translators Comment | ||
| #1729 | Insert Html Snippet | 39 | 159 | 205 | 20k+ | Output is not escaped | ||
| #1730 | JetGridBuilder — Grid Builder for Elementor and Gutenberg | 39 | 414 | 40 | 4k+ | Text Domain Mismatch | ||
| #1731 | Leaflet Map | 39 | 59 | 32 | 30k+ | Output is not escaped | ||
| #1732 | LH Add Media From Url | 39 | 42 | 26 | 2k+ | Output is not escaped | ||
| #1733 | LuckyWP Table of Contents | 39 | 438 | 62 | 100k+ | Output is not escaped | ||
| #1734 | Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid | 39 | 65 | 72 | 6k+ | block api version too low | ||
| #1735 | Mail Subscribe List | 39 | 17 | 94 | 3k+ | Input is not validated | ||
| #1736 | Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin | 39 | 1 | 395 | 3k+ | Input is not sanitized | ||
| #1737 | Kikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerce | 39 | 76 | 64 | 1k+ | Missing Translators Comment | ||
| #1738 | Markup by Attribute for WooCommerce | 39 | 46 | 102 | 2k+ | Direct Query | ||
| #1739 | Mascaras CF7 | 39 | 54 | 16 | 1k+ | Text Domain Mismatch | ||
| #1740 | Meks Easy Photo Feed Widget | 39 | 77 | 27 | 10k+ | Output is not escaped | ||
| #1741 | Movable Type and TypePad Importer | 39 | 42 | 25 | 20k+ | Output is not escaped | ||
| #1742 | Multilingual Contact Form 7 with Polylang | 39 | 50 | 30 | 9k+ | Text Domain Mismatch | ||
| #1743 | SOGO Add Script to Individual Pages Header Footer | 39 | 74 | 40 | 20k+ | Output is not escaped | ||
| #1744 | Pay by paynow.pl | 39 | 51 | 56 | 6k+ | Output is not escaped | ||
| #1745 | Designil PDPA Thailand | 39 | 131 | 36 | 3k+ | Output is not escaped | ||
| #1746 | Permalink Manager for WooCommerce | 39 | 116 | 24 | 8k+ | Short PHP open tag found | ||
| #1747 | Privilege Menu | 39 | 215 | 49 | 1k+ | Text Domain Mismatch | ||
| #1748 | Product Video Gallery for Woocommerce | 39 | 63 | 36 | 10k+ | Setting is missing a sanitization callback | ||
| #1749 | Purge Varnish Cache | 39 | 113 | 151 | 1k+ | Non-prefixed global variable | ||
| #1750 | Simple Webchat | 39 | 142 | 204 | 1k+ | Output is not escaped |
