WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1751 | CF7 Invisible reCAPTCHA | 41 | 19 | 52 | 7k+ | Missing Unslash | |
| #1752 | Contact Form 7 Captcha | 41 | 7 | 75 | 100k+ | Missing Unslash | |
| #1753 | Controlled Admin Access | 41 | 22 | 40 | 10k+ | Recommended | |
| #1754 | Dashboard Notepad | 41 | 29 | 34 | 10k+ | Missing | |
| #1755 | DevVN Local Store | 41 | 84 | 28 | 1k+ | Unsafe Printing Function | |
| #1756 | Email Address Encoder | 41 | 109 | 8 | 100k+ | wp function not compatible with requires wp | |
| #1757 | Flexible Posts Widget | 41 | 136 | 33 | 8k+ | Output Not Escaped | |
| #1758 | Google Authenticator | 41 | 39 | 65 | 20k+ | Output Not Escaped | |
| #1759 | (Simply) Guest Author Name | 41 | 35 | 36 | 2k+ | Output Not Escaped | |
| #1760 | Import external attachments | 41 | 18 | 26 | 2k+ | Output Not Escaped | |
| #1761 | Inpost Paczkomaty | 41 | 35 | 68 | 8k+ | Text Domain Mismatch | |
| #1762 | Social Sharing Plugin – Kiwi | 41 | 23 | 80 | 4k+ | Non Prefixed Variable Found | |
| #1763 | Central Color Palette | 41 | 73 | 33 | 10k+ | Output Not Escaped | |
| #1764 | Lazy Load Optimizer | 41 | 63 | 26 | 3k+ | Unsafe Printing Function | |
| #1765 | Lockdown WP Admin | 41 | 20 | 50 | 10k+ | Missing Unslash | |
| #1766 | Magic Liquidizer Responsive Table | 41 | 114 | 38 | 6k+ | Text Domain Mismatch | |
| #1767 | Mollie Forms | 41 | 14 | 565 | 3k+ | Missing Unslash | |
| #1768 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe Printing Function | |
| #1769 | Social Login | 41 | 8 | 110 | 5k+ | Input Not Sanitized | |
| #1770 | Omnibus — show the lowest price | 41 | 35 | 37 | 10k+ | Output Not Escaped | |
| #1771 | Optimus – WordPress Image Optimizer | 41 | 52 | 20 | 30k+ | Unsafe Printing Function | |
| #1772 | Pods – Custom Content Types and Fields | 41 | 5 | 233 | 100k+ | Direct Query | |
| #1773 | Ally – Web Accessibility & Usability | 41 | 47 | 35 | 500k+ | Output Not Escaped | |
| #1774 | Smart Post – Post Grid, Post Carousel, Post Slider Gutenberg Blocks for Blog & News | 41 | 537 | 20k+ | Non Prefixed Variable Found | ||
| #1775 | Posts 2 Posts | 41 | 42 | 73 | 10k+ | Non Singular String Literal Domain | |
| #1776 | Preload LCP Image | 41 | 110 | 31 | 4k+ | Unsafe Printing Function | |
| #1777 | Product Expiry for WooCommerce | 41 | 31 | 85 | 2k+ | Missing Unslash | |
| #1778 | Simple Product Options for WooCommerce | 41 | 62 | 41 | 3k+ | Output Not Escaped | |
| #1779 | Variation Swatches for WooCommerce | 41 | 29 | 126 | 9k+ | Missing | |
| #1780 | Responsive Gallery Grid | 41 | 74 | 14 | 4k+ | Output Not Escaped | |
| #1781 | Responsive Lightbox | 41 | 68 | 10 | 10k+ | Output Not Escaped | |
| #1782 | Revision Control | 41 | 60 | 28 | 40k+ | Output Not Escaped | |
| #1783 | Revisionize | 41 | 54 | 24 | 4k+ | Output Not Escaped | |
| #1784 | Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More | 41 | 43 | 61 | 100k+ | Missing Unslash | |
| #1785 | Simple Like Page – Fast & Privacy-Friendly Page Embeds | 41 | 145 | 31 | 10k+ | Output Not Escaped | |
| #1786 | Simple Lightbox | 41 | 21 | 48 | 100k+ | Recommended | |
| #1787 | SiteSEO – SEO Simplified | 41 | 20 | 110 | 500k+ | Recommended | |
| #1788 | Squeeze – Image Optimization & Compression, WEBP Conversion | 41 | 18 | 71 | 2k+ | Recommended | |
| #1789 | tarteaucitron.io | 41 | 44 | 92 | 10k+ | Output Not Escaped | |
| #1790 | Text Hover | 41 | 44 | 13 | 1k+ | Output Not Escaped | |
| #1791 | Text Replace | 41 | 55 | 12 | 3k+ | Output Not Escaped | |
| #1792 | Advanced Editor Tools | 41 | 143 | 84 | 1m+ | Unsafe Printing Function | |
| #1793 | Unbloater | 41 | 57 | 18 | 5k+ | Output Not Escaped | |
| #1794 | WC Price History | 41 | 18 | 17 | 4k+ | Not Prepared | |
| #1795 | Checkout Field Editor (Checkout Manager) for WooCommerce | 41 | 9 | 88 | 400k+ | Recommended | |
| #1796 | Advanced Custom Stock Status | 41 | 84 | 33 | 9k+ | Output Not Escaped | |
| #1797 | Pay for Payment for WooCommerce | 41 | 29 | 67 | 10k+ | Missing | |
| #1798 | Spam Protect for Contact Form 7 | 41 | 16 | 61 | 10k+ | Missing Unslash | |
| #1799 | WP Extended Search | 41 | 159 | 37 | 20k+ | Output Not Escaped | |
| #1800 | Pledged Plugins PCI Gateway for NMI and WooCommerce | 41 | 160 | 42 | 3k+ | Text Domain Mismatch |
