WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1851 | Export Featured Images | 35 | 176 | 67 | 1k+ | Output is not escaped | ||
| #1852 | WP2Social Auto Publish | 35 | 643 | 215 | 9k+ | Unsafe printing function | ||
| #1853 | Pixel Cat – Conversion Pixel Manager | 35 | 253 | 215 | 40k+ | Output is not escaped | ||
| #1854 | Instant Indexing for Google | 35 | 13 | 62 | 200k+ | Non-prefixed global variable | ||
| #1855 | Reviews Widgets for Google, TripAdvisor, Yelp & Recommendations | 35 | 255 | 225 | 10k+ | Output is not escaped | ||
| #1856 | Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager | 35 | 64 | 64 | 80k+ | Non-prefixed global variable | ||
| #1857 | FooGallery Migrate | 35 | 41 | 232 | 1k+ | Non-prefixed global variable | ||
| #1858 | Friendly Captcha for WordPress | 35 | 192 | 62 | 9k+ | Output is not escaped | ||
| #1859 | Frontend Reset Password | 35 | 83 | 128 | 10k+ | Text Domain Mismatch | ||
| #1860 | Full Width Banner Slider Wp | 35 | 239 | 140 | 2k+ | Output is not escaped | ||
| #1861 | GDPR Compliance & Cookie Consent | 35 | 251 | 61 | 4k+ | Output is not escaped | ||
| #1862 | Genesis Simple Sidebars | 35 | 9 | 51 | 10k+ | Nonce verification recommended | ||
| #1863 | Get a Newsletter | 35 | 138 | 144 | 400 | Output is not escaped | ||
| #1864 | Reviews Block for Google | 35 | 244 | 35 | 1k+ | Missing Arg Domain | ||
| #1865 | Gravitec.net – Web Push Notifications | 35 | 47 | 52 | 1k+ | wp function not compatible with requires wp | ||
| #1866 | Gravity Forms: Multiple Form Instances | 35 | 6 | 6 | 700 | Hidden files included | ||
| #1867 | Health Check & Troubleshooting | 35 | 264 | 238 | 300k+ | Missing Arg Domain | ||
| #1868 | Hippoo Mobile App for WooCommerce | 35 | 5 | 92 | 1k+ | Direct Query | ||
| #1869 | HivePress – Business Directory, Listings & Classified Ads Plugin | 35 | 38 | 180 | 10k+ | Direct Query | ||
| #1870 | HookMeUp for WooCommerce | 35 | 59 | 29 | 10k+ | Output is not escaped | ||
| #1871 | Iframely – WP media embeds, cards and blocks | 35 | 136 | 43 | 2k+ | Unsafe printing function | ||
| #1872 | Image Slider | 35 | 192 | 95 | 4k+ | Output is not escaped | ||
| #1873 | ImageMagick Engine | 35 | 63 | 29 | 60k+ | Unsafe printing function | ||
| #1874 | InPost PL | 35 | 2 | 925 | 10k+ | Non-prefixed global variable | ||
| #1875 | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts | 35 | 64 | 91 | 60k+ | Output is not escaped | ||
| #1876 | Inspiro Starter Sites – 20+ Free Demo Templates for Gutenberg & Elementor | 35 | 6 | 200 | 10k+ | Non-prefixed global variable | ||
| #1877 | Instant CSS | 35 | 25 | 25 | 3k+ | Output is not escaped | ||
| #1878 | IntenseDebate Comments | 35 | 203 | 114 | 500 | Output is not escaped | ||
| #1879 | IP Based Login | 35 | 179 | 146 | 600 | Output is not escaped | ||
| #1880 | iPages – FlipBook Image & PDF Viewer | 35 | 467 | 177 | 2k+ | Text Domain Mismatch | ||
| #1881 | Jarvis | 35 | 10 | 19 | 500 | Input is not validated | ||
| #1882 | Nobs • Share Buttons | 35 | 314 | 85 | 3k+ | Output is not escaped | ||
| #1883 | Kargo Takip | 35 | 84 | 142 | 3k+ | Missing nonce verification | ||
| #1884 | Kaya QR Code Generator | 35 | 193 | 40 | 20k+ | Non Singular String Literal Domain | ||
| #1885 | Keyring | 35 | 233 | 203 | 1k+ | Output is not escaped | ||
| #1886 | Kirki – Freeform Page Builder, Website Builder & Customizer | 35 | 1 | 773 | 500k+ | Nonce verification recommended | ||
| #1887 | Kiyoh customer review | 35 | 173 | 68 | 500 | Output is not escaped | ||
| #1888 | Kustom Checkout for WooCommerce | 35 | 101 | 505 | 10k+ | Dynamic hook name | ||
| #1889 | Lead Form Builder & Contact Form | 35 | 400 | 345 | 9k+ | Output is not escaped | ||
| #1890 | Lead Generation Form | 35 | 21 | 63 | 600 | Non-prefixed global variable | ||
| #1891 | Log HTTP Requests | 35 | 7 | 18 | 2k+ | Interpolated SQL is not prepared | ||
| #1892 | Login Page Styler – Custom WordPress Login Page Customizer & Security | 35 | 125 | 168 | 2k+ | Missing Arg Domain | ||
| #1893 | Magic Login – Passwordless Authentication for WordPress – Login Without Password | 35 | 23 | 53 | 3k+ | Missing nonce verification | ||
| #1894 | MainWP Child Reports | 35 | 49 | 116 | 100k+ | Non-prefixed hook name | ||
| #1895 | Marquee image crawler | 35 | 168 | 136 | 700 | Non-prefixed global variable | ||
| #1896 | Media Library Downloader | 35 | 21 | 16 | 4k+ | Output is not escaped | ||
| #1897 | Restaurant Menu – Food Ordering System – Table Reservation | 35 | 317 | 186 | 8k+ | Unsafe printing function | ||
| #1898 | Mini Ajax Cart for WooCommerce | 35 | 297 | 240 | 900 | Text Domain Mismatch | ||
| #1899 | Mini Cart for WooCommerce – Add a Stylish Sliding Cart | 35 | 42 | 160 | 600 | Non-prefixed global variable | ||
| #1900 | mosparo Integration | 35 | 114 | 301 | 900 | Missing nonce verification |