WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2001Payment Gateway for PayPal Pro & PayPal Checkout for WooCommerce35671472k+Request data is not unslashed
#2002Quaderno: Global Tax & Invoicing Automation for WooCommerce35470500Missing nonce verification
#2003Brevo for WooCommerce351166730k+Output is not escaped
#2004Kybernaut IČO DIČ3579683k+Missing nonce verification
#2005BulkGate SMS Plugin for WooCommerce3533321k+Output is not escaped
#2006WP Cassify35106143800Missing nonce verification
#2007Category Dropdown by GCS Design3593521k+Output is not escaped
#2008WP Datepicker352251817k+Output is not escaped
#2009Database Backup for WordPress351288870k+Output is not escaped
#2010WP Duplicate Page35445060k+Text Domain Mismatch
#2011Auto Publish for Google My Business3521619210k+Input is not validated
#2012Mail logging – WP Mail Catcher3523215720k+Text Domain Mismatch
#2013WP-PageNavi358495500k+Non Singular String Literal Domain
#2014WP PGP Encrypted Emails356339400Output is not escaped
#2015WP-PostViews3513264100k+Unsafe printing function
#2016WP Spam Question Filter3563302k+Output is not escaped
#2017Subresource Integrity (SRI) Manager352694900Request data is not unslashed
#2018Integration for WooCommerce and QuickBooks352631251k+Output is not escaped
#2019WPC Badge Management for WooCommerce3513812k+Missing nonce verification
#2020WP Views Counter3581422k+Output is not escaped
#2021WPElemento Importer351261239k+Text Domain Mismatch
#2022WPFront User Role Editor3533357830k+Output is not escaped
#2023wpLingua – Automatic translation – Translate and make website multilingual35791672k+Nonce verification recommended
#2024WPPerformanceTester3594441k+Output is not escaped
#2025WPZOOM Addons for Elementor – Starter Templates & Widgets3516013020k+Output is not escaped
#2026WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress357410910k+Nonce verification recommended
#2027WPZOOM Portfolio Lite – Filterable Portfolio Plugin35429220k+Non-prefixed global variable
#2028WSB HUB335361091k+Missing nonce verification
#2029xili-tidy-tags352241571k+Output is not escaped
#2030TypeSquare Webfonts for エックスサーバー3518398100k+Missing Arg Domain
#2031Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts35481145k+Non-prefixed hook name
#2032Yes/No Chart351361392k+Unsafe printing function
#2033Year Make Model Search for WooCommerce351881621k+Output is not escaped
#2034Yoco Payments3523210k+Nonce verification recommended
#2035Yotpo: Product & Photo Reviews for WooCommerce35241892k+Non-prefixed function
#2036Embeds for YouTube3525530710k+Non-prefixed global variable
#20372C2P Redirect API for WooCommerce3613662900wp function not compatible with requires wp
#20383B Meteo3650761k+Output is not escaped
#2039Age Verification for your checkout page. Verify your customer's identity36155238500Output is not escaped
#2040authLdap3647304k+Exception output is not escaped
#2041Bard Extra3615975700Text Domain Mismatch
#2042Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder36332110k+Nonce verification recommended
#2043Blaze Demo Importer36101948k+Output is not escaped
#2044BlockStrap Page Builder – Bootstrap Blocks3681892k+Missing direct file access protection
#2045Blog, Posts and Category Filter for Elementor36159551k+Text Domain Mismatch
#2046BP Group Documents3627195600Non-prefixed global variable
#2047BP Profile Search36321855k+Output is not escaped
#2048bpost shipping369743700Output is not escaped
#2049Breadcrumb NavXT36102111800k+Non Singular String Literal Domain
#2050BuddyMeet3611432700Unsafe printing function