WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #151 | Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider | 22 | 207 | 323 | 500k+ | Non-prefixed global variable | ||
| #152 | Modula Image Gallery – Photo Grid & Video Gallery | 22 | 474 | 436 | 100k+ | Text Domain Mismatch | ||
| #153 | Molongui Authorship – Author Boxes, Guest Authors & Co-Authors for WordPress | 22 | 919 | 1,230 | 10k+ | Output is not escaped | ||
| #154 | Moloni | 22 | 902 | 356 | 2k+ | Missing Arg Domain | ||
| #155 | Motors – Car Dealership & Classified Listings Plugin | 22 | 5,340 | 5,958 | 9k+ | Text Domain Mismatch | ||
| #156 | Newsletters | 22 | 2,968 | 2,248 | 2k+ | Text Domain Mismatch | ||
| #157 | NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall | 22 | 1,265 | 2,065 | 100k+ | Non-prefixed global variable | ||
| #158 | NinjaScanner – Virus & Malware scan | 22 | 596 | 551 | 30k+ | Non-prefixed global variable | ||
| #159 | WP OAuth Server (OAuth Authentication) | 22 | 189 | 347 | 3k+ | Non-prefixed function | ||
| #160 | oik | 22 | 489 | 180 | 2k+ | Non Singular String Literal Domain | ||
| #161 | PagBank / PagSeguro Connect para WooCommerce | 22 | 504 | 743 | 4k+ | Non-prefixed global variable | ||
| #162 | PAYCOMET for WooCommerce | 22 | 1,206 | 423 | 2k+ | Text Domain Mismatch | ||
| #163 | Smart Popup by Supsystic | 22 | 3,172 | 503 | 10k+ | Non Singular String Literal Domain | ||
| #164 | Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App | 22 | 1,581 | 2,326 | 300k+ | Non-prefixed global variable | ||
| #165 | Prime Mover – Migrate WordPress Website & Backups | 22 | 1,326 | 1,600 | 10k+ | Non-prefixed global variable | ||
| #166 | Product Catalog Feed by PixelYourSite | 22 | 581 | 357 | 8k+ | Output is not escaped | ||
| #167 | Pronamic Pay | 22 | 258 | 1,077 | 3k+ | Non-prefixed global variable | ||
| #168 | PageSpeed Ninja – Cache, Minify, Defer CSS JavaScript, Critical CSS, Optimize Images, Convert WebP | 22 | 984 | 407 | 5k+ | Unsafe printing function | ||
| #169 | Quick Contact Form | 22 | 260 | 623 | 1k+ | Non-prefixed function | ||
| #170 | RabbitLoader Cache: Optimize your Website for Speed | 22 | 241 | 163 | 2k+ | Output is not escaped | ||
| #171 | Restrict User Access – Ultimate Membership & Content Protection | 22 | 977 | 1,840 | 10k+ | Non-prefixed global variable | ||
| #172 | Salon Booking System – Free Version | 22 | 650 | 619 | 3k+ | Missing direct file access protection | ||
| #173 | Seraphinite Accelerator | 22 | 594 | 255 | 50k+ | Output is not escaped | ||
| #174 | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF | 22 | 1,044 | 799 | 300k+ | Non-prefixed global variable | ||
| #175 | Simple Job Board | 22 | 634 | 1,355 | 10k+ | Non-prefixed global variable | ||
| #176 | Slim Jetpack | 22 | 2,586 | 1,947 | 2k+ | Text Domain Mismatch | ||
| #177 | NextScripts: Social Networks Auto-Poster | 22 | 2,408 | 1,133 | 30k+ | Output is not escaped | ||
| #178 | SportsPress – Sports Club & League Manager | 22 | 460 | 2,242 | 10k+ | Non-prefixed global variable | ||
| #179 | SSL Zen — SSL Certificate Installer & HTTPS Redirects | 22 | 779 | 1,575 | 10k+ | Non-prefixed global variable | ||
| #180 | Stylish Price List – Price Table Builder & QR Code Restaurant Menu | 22 | 674 | 678 | 3k+ | Output is not escaped | ||
| #181 | Swift Performance Lite | 22 | 2,346 | 1,325 | 7k+ | Text Domain Mismatch | ||
| #182 | 10Web Booster – Website speed optimization, Cache & Page Speed optimizer | 22 | 513 | 601 | 80k+ | Non-prefixed global variable | ||
| #183 | The Moneytizer | 22 | 751 | 271 | 1k+ | Text Domain Mismatch | ||
| #184 | Theme Editor | 22 | 798 | 685 | 50k+ | Output is not escaped | ||
| #185 | ThemeHunk Customizer | 22 | 3,969 | 582 | 7k+ | Text Domain Mismatch | ||
| #186 | Uncanny Toolkit for LearnDash | 22 | 539 | 994 | 20k+ | Output is not escaped | ||
| #187 | Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links | 22 | 1,044 | 1,797 | 20k+ | Non-prefixed global variable | ||
| #188 | URL Shortify – Simple and Easy URL Shortener | 22 | 1,520 | 2,689 | 10k+ | Non-prefixed global variable | ||
| #189 | Welcart e-Commerce | 22 | 10,377 | 10,896 | 10k+ | Text Domain Mismatch | ||
| #190 | WCFM Marketplace – Multivendor Marketplace for WooCommerce | 22 | 1,937 | 1,969 | 10k+ | Non-prefixed global variable | ||
| #191 | WCFM Membership – WooCommerce Memberships for Multivendor Marketplace | 22 | 559 | 675 | 10k+ | Non-prefixed global variable | ||
| #192 | Advanced AJAX Product Filters | 22 | 2,683 | 1,205 | 50k+ | Text Domain Mismatch | ||
| #193 | CoDesigner – All in One Elementor WooCommerce Builder | 22 | 4,131 | 774 | 5k+ | Text Domain Mismatch | ||
| #194 | Simple Shopping Cart | 22 | 796 | 536 | 10k+ | Unsafe printing function | ||
| #195 | ManageWP Worker | 22 | 507 | 565 | 1m+ | Non-prefixed class | ||
| #196 | WP Affiliate Disclosure | 22 | 1,358 | 1,504 | 1k+ | Non-prefixed global variable | ||
| #197 | Asset CleanUp: Page Speed Booster | 22 | 2,030 | 2,485 | 100k+ | Non-prefixed global variable | ||
| #198 | WP Express Checkout (Fast Payments via PayPal & Stripe) | 22 | 591 | 627 | 1k+ | Output is not escaped | ||
| #199 | File Manager | 22 | 740 | 520 | 1m+ | Unsafe printing function | ||
| #200 | WP Fusion Lite – Marketing Automation and CRM Integration for WordPress | 22 | 276 | 683 | 5k+ | Nonce verification recommended |
