WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1901 | Movylo Marketing Automation | 35 | 38 | 88 | 700 | error log print r | ||
| #1902 | Moyasar | 35 | 436 | 128 | 700 | Text Domain Mismatch | ||
| #1903 | My Eyes Are Up Here | 35 | 7 | 12 | 2k+ | Missing nonce verification | ||
| #1904 | Never Let Me Go | 35 | 34 | 47 | 400 | Non-prefixed global variable | ||
| #1905 | NGG Smart Image Search | 35 | 298 | 155 | 400 | Output is not escaped | ||
| #1906 | Nooz | 35 | 287 | 108 | 500 | Text Domain Mismatch | ||
| #1907 | One Page Express Companion | 35 | 132 | 65 | 10k+ | Output is not escaped | ||
| #1908 | ONet Regenerate Thumbnails | 35 | 190 | 64 | 1k+ | Text Domain Mismatch | ||
| #1909 | Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce | 35 | 117 | 144 | 2k+ | Output is not escaped | ||
| #1910 | Orderable – Restaurant & Food Ordering System | 35 | 12 | 324 | 5k+ | Non-prefixed global variable | ||
| #1911 | Page Visits Counter – Lite | 35 | 28 | 35 | 5k+ | Output is not escaped | ||
| #1912 | Paybox WooCommerce Payment Gateway | 35 | 165 | 88 | 500 | Non Singular String Literal Domain | ||
| #1913 | Paytm Payment Gateway | 35 | 92 | 104 | 3k+ | Missing Arg Domain | ||
| #1914 | Perfecty Push Notifications | 35 | 204 | 213 | 4k+ | SQL query is not prepared | ||
| #1915 | Permissions Editor for Ninja Forms | 35 | 29 | 6 | 1k+ | Output is not escaped | ||
| #1916 | PiWeb Delivery & Pickup Date Time for WooCommerce | 35 | 377 | 163 | 500 | Text Domain Mismatch | ||
| #1917 | Planyo online reservation system | 35 | 64 | 90 | 400 | Output is not escaped | ||
| #1918 | Plausible Analytics | 35 | 244 | 61 | 10k+ | Exception output is not escaped | ||
| #1919 | Accept Cryptocurrencies with Plisio | 35 | 37 | 47 | 1k+ | Text Domain Mismatch | ||
| #1920 | Pochipp | 35 | 27 | 102 | 20k+ | Non-prefixed global variable | ||
| #1921 | Poptin – Email Marketing Automation, Newsletter & Exit Pop Ups, Email Popups | 35 | 168 | 29 | 20k+ | Output is not escaped | ||
| #1922 | Popular Posts | 35 | 166 | 71 | 900 | Unsafe printing function | ||
| #1923 | Post Draft Preview | 35 | 49 | 69 | 700 | Text Domain Mismatch | ||
| #1924 | Post List Featured Image | 35 | 112 | 100 | 900 | Output is not escaped | ||
| #1925 | Post Meta Data Manager | 35 | 30 | 112 | 1k+ | Non-prefixed global variable | ||
| #1926 | Post Password Token | 35 | 132 | 38 | 600 | Text Domain Mismatch | ||
| #1927 | Posts Table with Search & Sort | 35 | 143 | 33 | 3k+ | Text Domain Mismatch | ||
| #1928 | Min Max Step Quantity Limits Manager for WooCommerce | 35 | 67 | 158 | 3k+ | Non-prefixed global variable | ||
| #1929 | Protect the Children! | 35 | 2 | 34 | 1k+ | Missing nonce verification | ||
| #1930 | Publitio | 35 | 47 | 26 | 400 | curl curl setopt | ||
| #1931 | Push Notifications by LaraPush | 35 | 32 | 76 | 4k+ | Non-prefixed global variable | ||
| #1932 | Push7 | 35 | 45 | 17 | 700 | Short PHP open tag found | ||
| #1933 | Quran multilanguage Text & Audio | 35 | 177 | 166 | 500 | Output is not escaped | ||
| #1934 | ReactPress – Create React App for WordPress | 35 | 26 | 43 | 3k+ | Request data is not unslashed | ||
| #1935 | Real Time Validation for Gravity Forms | 35 | 185 | 30 | 2k+ | Output is not escaped | ||
| #1936 | Really Simple Google Tag Manager (GTM) | 35 | 115 | 15 | 4k+ | Text Domain Mismatch | ||
| #1937 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output is not escaped | ||
| #1938 | ReOrder Posts within Categories | 35 | 39 | 207 | 7k+ | Non-prefixed global variable | ||
| #1939 | Reseller Store | 35 | 56 | 34 | 1k+ | Output is not escaped | ||
| #1940 | sCode (Easy Shortcodes) | 35 | 157 | 97 | 400 | Text Domain Mismatch | ||
| #1941 | Scroll Styler | 35 | 52 | 21 | 900 | Output is not escaped | ||
| #1942 | Internal Links Manager | 35 | 188 | 121 | 10k+ | Output is not escaped | ||
| #1943 | Shipping Zones by Drawing for WooCommerce | 35 | 278 | 95 | 600 | Text Domain Mismatch | ||
| #1944 | Shop Page WP | 35 | 68 | 23 | 2k+ | Unsafe printing function | ||
| #1945 | Shopkeeper Extender | 35 | 14 | 26 | 5k+ | Missing Version | ||
| #1946 | Product Feed for Google Shopping, Microsoft Advertising and 40+ Channels for WooCommerce Merchant | 35 | 83 | 76 | 2k+ | Output is not escaped | ||
| #1947 | SHOPVOTE | 35 | 64 | 58 | 400 | curl curl setopt | ||
| #1948 | Simple CAPTCHA with Cloudflare Turnstile | 35 | 82 | 148 | 100k+ | Output is not escaped | ||
| #1949 | Simple Export Import for ACF Data | 35 | 19 | 64 | 1k+ | Request data is not unslashed | ||
| #1950 | Simple Image Sizes | 35 | 53 | 75 | 60k+ | Unsafe printing function |