WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1801 | Billingo Official for WooCommerce | 40 | 26 | 37 | 3k+ | Output is not escaped | ||
| #1802 | Black Studio TinyMCE Widget | 40 | 39 | 28 | 200k+ | Output is not escaped | ||
| #1803 | Bulk Move | 40 | 85 | 44 | 9k+ | Unsafe printing function | ||
| #1804 | Contact form 7 TO API + Basic Auth | 40 | 73 | 30 | 1k+ | Non Singular String Literal Domain | ||
| #1805 | Contact Form 7 Multi-Step Forms | 40 | 65 | 40 | 50k+ | Output is not escaped | ||
| #1806 | Database Addon for Contact Form 7 – CFDB7 | 40 | 35 | 56 | 600k+ | Nonce verification recommended | ||
| #1807 | Free Cookie Notice & Consent Banner for Privacy Compliance (GDPR, CCPA, DSGVO and others) | 40 | 39 | 15 | 6k+ | Missing direct file access protection | ||
| #1808 | Country State City Dropdown CF7 | 40 | 35 | 54 | 5k+ | Direct Query | ||
| #1809 | Coupon Generator for WooCommerce | 40 | 39 | 28 | 10k+ | Unsafe printing function | ||
| #1810 | Custom Simple Rss | 40 | 73 | 130 | 2k+ | Nonce verification recommended | ||
| #1811 | Delete Me | 40 | 116 | 17 | 7k+ | Output is not escaped | ||
| #1812 | Duplicate Page | 40 | 39 | 43 | 3m+ | Unsafe printing function | ||
| #1813 | Eventer | 40 | 61 | 55 | 1k+ | Output is not escaped | ||
| #1814 | Export Media URLs | 40 | 71 | 35 | 7k+ | Output is not escaped | ||
| #1815 | Payment Gateway of PayPal for WooCommerce | 40 | 44 | 173 | 7k+ | Nonce verification recommended | ||
| #1816 | FameTheme Demo Importer | 40 | 8 | 74 | 30k+ | Nonce verification recommended | ||
| #1817 | FAQ Schema – Accordion, Tab, Slider & Gutenberg Block | 40 | 253 | 46 | 2k+ | Output is not escaped | ||
| #1818 | Fast User Switching | 40 | 28 | 28 | 2k+ | Output is not escaped | ||
| #1819 | Flying Scripts: Delay JavaScript to Improve Site Speed & Performance | 40 | 23 | 44 | 30k+ | Missing direct file access protection | ||
| #1820 | FlyWP Helper – Page Cache, Page Optimization, Emails for FlyWP Server Control Panel | 40 | 20 | 81 | 4k+ | Non-prefixed global variable | ||
| #1821 | Fusion Page Builder | 40 | 34 | 100 | 3k+ | Input is not validated | ||
| #1822 | Analytics Germanized for Google Analytics (GDPR / DSGVO) | 40 | 49 | 14 | 8k+ | Output is not escaped | ||
| #1823 | Osom Author Pro | 40 | 83 | 22 | 1k+ | Output is not escaped | ||
| #1824 | WP Armour – Honeypot Anti Spam | 40 | 56 | 66 | 400k+ | Missing nonce verification | ||
| #1825 | Hostinger Reach – AI-Powered Email Marketing for WordPress | 40 | 9 | 46 | 1m+ | Direct Query | ||
| #1826 | Image Alt Text | 40 | 79 | 97 | 9k+ | Non Singular String Literal Domain | ||
| #1827 | Correios Automático – Rastreio, Frete, Etiqueta, Declaração e Devolução | 40 | 32 | 56 | 4k+ | Non-prefixed global variable | ||
| #1828 | JSM Show Post Metadata | 40 | 15 | 66 | 10k+ | Nonce verification recommended | ||
| #1829 | JSM Show User Metadata | 40 | 14 | 64 | 3k+ | Nonce verification recommended | ||
| #1830 | La Sentinelle antispam | 40 | 88 | 46 | 3k+ | Output is not escaped | ||
| #1831 | Limit Login Attempts | 40 | 81 | 38 | 300k+ | Output is not escaped | ||
| #1832 | MailerSend – Official SMTP Integration | 40 | 39 | 25 | 2k+ | Unsafe printing function | ||
| #1833 | Manual Image Crop | 40 | 178 | 61 | 8k+ | Output is not escaped | ||
| #1834 | MAS Company Reviews For WP Job Manager | 40 | 44 | 71 | 1k+ | Output is not escaped | ||
| #1835 | Modal Window – create popup modal window | 40 | 4 | 170 | 10k+ | Non-prefixed global variable | ||
| #1836 | Multiple Featured Images | 40 | 50 | 22 | 5k+ | Output is not escaped | ||
| #1837 | Flying Images: Optimize and Lazy Load Images for Faster Page Speed | 40 | 32 | 58 | 3k+ | Missing direct file access protection | ||
| #1838 | No-Bot Registration | 40 | 112 | 42 | 2k+ | Unsafe printing function | ||
| #1839 | No CAPTCHA reCAPTCHA | 40 | 112 | 26 | 4k+ | Text Domain Mismatch | ||
| #1840 | One Click SSL | 40 | 136 | 62 | 10k+ | Unsafe printing function | ||
| #1841 | OPML Importer | 40 | 35 | 13 | 4k+ | Output is not escaped | ||
| #1842 | Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels | 40 | 68 | 249 | 3k+ | Missing nonce verification | ||
| #1843 | Plugin Load Filter | 40 | 76 | 112 | 7k+ | Text Domain Mismatch | ||
| #1844 | Quiz Cat – WordPress Quiz Plugin | 40 | 151 | 69 | 5k+ | Output is not escaped | ||
| #1845 | Random Banner | 40 | 59 | 125 | 1k+ | Output is not escaped | ||
| #1846 | Reseller Store | 40 | 53 | 33 | 1k+ | Output is not escaped | ||
| #1847 | Responsive Full Width Background Slider | 40 | 131 | 22 | 2k+ | Unsafe printing function | ||
| #1848 | Responsive Slider | 40 | 28 | 15 | 3k+ | Output is not escaped | ||
| #1849 | RPB Chessboard | 40 | 86 | 98 | 1k+ | Missing direct file access protection | ||
| #1850 | Secondary Title | 40 | 117 | 31 | 7k+ | Unsafe printing function |
