WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1851Export Featured Images35176671k+Output is not escaped
#1852WP2Social Auto Publish356432159k+Unsafe printing function
#1853Pixel Cat – Conversion Pixel Manager3525321540k+Output is not escaped
#1854Instant Indexing for Google351362200k+Non-prefixed global variable
#1855Reviews Widgets for Google, TripAdvisor, Yelp & Recommendations3525522510k+Output is not escaped
#1856Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager35646480k+Non-prefixed global variable
#1857FooGallery Migrate35412321k+Non-prefixed global variable
#1858Friendly Captcha for WordPress35192629k+Output is not escaped
#1859Frontend Reset Password358312810k+Text Domain Mismatch
#1860Full Width Banner Slider Wp352391402k+Output is not escaped
#1861GDPR Compliance & Cookie Consent35251614k+Output is not escaped
#1862Genesis Simple Sidebars3595110k+Nonce verification recommended
#1863Get a Newsletter35138144400Output is not escaped
#1864Reviews Block for Google35244351k+Missing Arg Domain
#1865Gravitec.net – Web Push Notifications3547521k+wp function not compatible with requires wp
#1866Gravity Forms: Multiple Form Instances3566700Hidden files included
#1867Health Check & Troubleshooting35264238300k+Missing Arg Domain
#1868Hippoo Mobile App for WooCommerce355921k+Direct Query
#1869HivePress – Business Directory, Listings & Classified Ads Plugin353818010k+Direct Query
#1870HookMeUp for WooCommerce35592910k+Output is not escaped
#1871Iframely – WP media embeds, cards and blocks35136432k+Unsafe printing function
#1872Image Slider35192954k+Output is not escaped
#1873ImageMagick Engine35632960k+Unsafe printing function
#1874InPost PL35292510k+Non-prefixed global variable
#1875Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts35649160k+Output is not escaped
#1876Inspiro Starter Sites – 20+ Free Demo Templates for Gutenberg & Elementor35620010k+Non-prefixed global variable
#1877Instant CSS3525253k+Output is not escaped
#1878IntenseDebate Comments35203114500Output is not escaped
#1879IP Based Login35179146600Output is not escaped
#1880iPages – FlipBook Image & PDF Viewer354671772k+Text Domain Mismatch
#1881Jarvis351019500Input is not validated
#1882Nobs • Share Buttons35314853k+Output is not escaped
#1883Kargo Takip35841423k+Missing nonce verification
#1884Kaya QR Code Generator351934020k+Non Singular String Literal Domain
#1885Keyring352332031k+Output is not escaped
#1886Kirki – Freeform Page Builder, Website Builder & Customizer351773500k+Nonce verification recommended
#1887Kiyoh customer review3517368500Output is not escaped
#1888Kustom Checkout for WooCommerce3510150510k+Dynamic hook name
#1889Lead Form Builder & Contact Form354003459k+Output is not escaped
#1890Lead Generation Form352163600Non-prefixed global variable
#1891Log HTTP Requests357182k+Interpolated SQL is not prepared
#1892Login Page Styler – Custom WordPress Login Page Customizer & Security351251682k+Missing Arg Domain
#1893Magic Login – Passwordless Authentication for WordPress – Login Without Password3523533k+Missing nonce verification
#1894MainWP Child Reports3549116100k+Non-prefixed hook name
#1895Marquee image crawler35168136700Non-prefixed global variable
#1896Media Library Downloader3521164k+Output is not escaped
#1897Restaurant Menu – Food Ordering System – Table Reservation353171868k+Unsafe printing function
#1898Mini Ajax Cart for WooCommerce35297240900Text Domain Mismatch
#1899Mini Cart for WooCommerce – Add a Stylish Sliding Cart3542160600Non-prefixed global variable
#1900mosparo Integration35114301900Missing nonce verification