WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1901Movylo Marketing Automation353888700error log print r
#1902Moyasar35436128700Text Domain Mismatch
#1903My Eyes Are Up Here357122k+Missing nonce verification
#1904Never Let Me Go353447400Non-prefixed global variable
#1905NGG Smart Image Search35298155400Output is not escaped
#1906Nooz35287108500Text Domain Mismatch
#1907One Page Express Companion351326510k+Output is not escaped
#1908ONet Regenerate Thumbnails35190641k+Text Domain Mismatch
#1909Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce351171442k+Output is not escaped
#1910Orderable – Restaurant & Food Ordering System35123245k+Non-prefixed global variable
#1911Page Visits Counter – Lite3528355k+Output is not escaped
#1912Paybox WooCommerce Payment Gateway3516588500Non Singular String Literal Domain
#1913Paytm Payment Gateway35921043k+Missing Arg Domain
#1914Perfecty Push Notifications352042134k+SQL query is not prepared
#1915Permissions Editor for Ninja Forms352961k+Output is not escaped
#1916PiWeb Delivery & Pickup Date Time for WooCommerce35377163500Text Domain Mismatch
#1917Planyo online reservation system356490400Output is not escaped
#1918Plausible Analytics352446110k+Exception output is not escaped
#1919Accept Cryptocurrencies with Plisio3537471k+Text Domain Mismatch
#1920Pochipp352710220k+Non-prefixed global variable
#1921Poptin – Email Marketing Automation, Newsletter & Exit Pop Ups, Email Popups351682920k+Output is not escaped
#1922Popular Posts3516671900Unsafe printing function
#1923Post Draft Preview354969700Text Domain Mismatch
#1924Post List Featured Image35112100900Output is not escaped
#1925Post Meta Data Manager35301121k+Non-prefixed global variable
#1926Post Password Token3513238600Text Domain Mismatch
#1927Posts Table with Search & Sort35143333k+Text Domain Mismatch
#1928Min Max Step Quantity Limits Manager for WooCommerce35671583k+Non-prefixed global variable
#1929Protect the Children!352341k+Missing nonce verification
#1930Publitio354726400curl curl setopt
#1931Push Notifications by LaraPush3532764k+Non-prefixed global variable
#1932Push7354517700Short PHP open tag found
#1933Quran multilanguage Text & Audio35177166500Output is not escaped
#1934ReactPress – Create React App for WordPress3526433k+Request data is not unslashed
#1935Real Time Validation for Gravity Forms35185302k+Output is not escaped
#1936Really Simple Google Tag Manager (GTM)35115154k+Text Domain Mismatch
#1937Related Posts for WordPress3520718010k+Output is not escaped
#1938ReOrder Posts within Categories35392077k+Non-prefixed global variable
#1939Reseller Store3556341k+Output is not escaped
#1940sCode (Easy Shortcodes)3515797400Text Domain Mismatch
#1941Scroll Styler355221900Output is not escaped
#1942Internal Links Manager3518812110k+Output is not escaped
#1943Shipping Zones by Drawing for WooCommerce3527895600Text Domain Mismatch
#1944Shop Page WP3568232k+Unsafe printing function
#1945Shopkeeper Extender3514265k+Missing Version
#1946Product Feed for Google Shopping, Microsoft Advertising and 40+ Channels for WooCommerce Merchant3583762k+Output is not escaped
#1947SHOPVOTE356458400curl curl setopt
#1948Simple CAPTCHA with Cloudflare Turnstile3582148100k+Output is not escaped
#1949Simple Export Import for ACF Data3519641k+Request data is not unslashed
#1950Simple Image Sizes35537560k+Unsafe printing function