WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2001 | Payment Gateway for PayPal Pro & PayPal Checkout for WooCommerce | 35 | 67 | 147 | 2k+ | Request data is not unslashed | ||
| #2002 | Quaderno: Global Tax & Invoicing Automation for WooCommerce | 35 | 4 | 70 | 500 | Missing nonce verification | ||
| #2003 | Brevo for WooCommerce | 35 | 116 | 67 | 30k+ | Output is not escaped | ||
| #2004 | Kybernaut IČO DIČ | 35 | 79 | 68 | 3k+ | Missing nonce verification | ||
| #2005 | BulkGate SMS Plugin for WooCommerce | 35 | 33 | 32 | 1k+ | Output is not escaped | ||
| #2006 | WP Cassify | 35 | 106 | 143 | 800 | Missing nonce verification | ||
| #2007 | Category Dropdown by GCS Design | 35 | 93 | 52 | 1k+ | Output is not escaped | ||
| #2008 | WP Datepicker | 35 | 225 | 181 | 7k+ | Output is not escaped | ||
| #2009 | Database Backup for WordPress | 35 | 128 | 88 | 70k+ | Output is not escaped | ||
| #2010 | WP Duplicate Page | 35 | 44 | 50 | 60k+ | Text Domain Mismatch | ||
| #2011 | Auto Publish for Google My Business | 35 | 216 | 192 | 10k+ | Input is not validated | ||
| #2012 | Mail logging – WP Mail Catcher | 35 | 232 | 157 | 20k+ | Text Domain Mismatch | ||
| #2013 | WP-PageNavi | 35 | 84 | 95 | 500k+ | Non Singular String Literal Domain | ||
| #2014 | WP PGP Encrypted Emails | 35 | 63 | 39 | 400 | Output is not escaped | ||
| #2015 | WP-PostViews | 35 | 132 | 64 | 100k+ | Unsafe printing function | ||
| #2016 | WP Spam Question Filter | 35 | 63 | 30 | 2k+ | Output is not escaped | ||
| #2017 | Subresource Integrity (SRI) Manager | 35 | 26 | 94 | 900 | Request data is not unslashed | ||
| #2018 | Integration for WooCommerce and QuickBooks | 35 | 263 | 125 | 1k+ | Output is not escaped | ||
| #2019 | WPC Badge Management for WooCommerce | 35 | 13 | 81 | 2k+ | Missing nonce verification | ||
| #2020 | WP Views Counter | 35 | 81 | 42 | 2k+ | Output is not escaped | ||
| #2021 | WPElemento Importer | 35 | 126 | 123 | 9k+ | Text Domain Mismatch | ||
| #2022 | WPFront User Role Editor | 35 | 333 | 578 | 30k+ | Output is not escaped | ||
| #2023 | wpLingua – Automatic translation – Translate and make website multilingual | 35 | 79 | 167 | 2k+ | Nonce verification recommended | ||
| #2024 | WPPerformanceTester | 35 | 94 | 44 | 1k+ | Output is not escaped | ||
| #2025 | WPZOOM Addons for Elementor – Starter Templates & Widgets | 35 | 160 | 130 | 20k+ | Output is not escaped | ||
| #2026 | WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress | 35 | 74 | 109 | 10k+ | Nonce verification recommended | ||
| #2027 | WPZOOM Portfolio Lite – Filterable Portfolio Plugin | 35 | 42 | 92 | 20k+ | Non-prefixed global variable | ||
| #2028 | WSB HUB3 | 35 | 36 | 109 | 1k+ | Missing nonce verification | ||
| #2029 | xili-tidy-tags | 35 | 224 | 157 | 1k+ | Output is not escaped | ||
| #2030 | TypeSquare Webfonts for エックスサーバー | 35 | 183 | 98 | 100k+ | Missing Arg Domain | ||
| #2031 | Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts | 35 | 48 | 114 | 5k+ | Non-prefixed hook name | ||
| #2032 | Yes/No Chart | 35 | 136 | 139 | 2k+ | Unsafe printing function | ||
| #2033 | Year Make Model Search for WooCommerce | 35 | 188 | 162 | 1k+ | Output is not escaped | ||
| #2034 | Yoco Payments | 35 | 2 | 32 | 10k+ | Nonce verification recommended | ||
| #2035 | Yotpo: Product & Photo Reviews for WooCommerce | 35 | 24 | 189 | 2k+ | Non-prefixed function | ||
| #2036 | Embeds for YouTube | 35 | 255 | 307 | 10k+ | Non-prefixed global variable | ||
| #2037 | 2C2P Redirect API for WooCommerce | 36 | 136 | 62 | 900 | wp function not compatible with requires wp | ||
| #2038 | 3B Meteo | 36 | 50 | 76 | 1k+ | Output is not escaped | ||
| #2039 | Age Verification for your checkout page. Verify your customer's identity | 36 | 155 | 238 | 500 | Output is not escaped | ||
| #2040 | authLdap | 36 | 47 | 30 | 4k+ | Exception output is not escaped | ||
| #2041 | Bard Extra | 36 | 159 | 75 | 700 | Text Domain Mismatch | ||
| #2042 | Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder | 36 | 3 | 321 | 10k+ | Nonce verification recommended | ||
| #2043 | Blaze Demo Importer | 36 | 101 | 94 | 8k+ | Output is not escaped | ||
| #2044 | BlockStrap Page Builder – Bootstrap Blocks | 36 | 81 | 89 | 2k+ | Missing direct file access protection | ||
| #2045 | Blog, Posts and Category Filter for Elementor | 36 | 159 | 55 | 1k+ | Text Domain Mismatch | ||
| #2046 | BP Group Documents | 36 | 27 | 195 | 600 | Non-prefixed global variable | ||
| #2047 | BP Profile Search | 36 | 321 | 85 | 5k+ | Output is not escaped | ||
| #2048 | bpost shipping | 36 | 97 | 43 | 700 | Output is not escaped | ||
| #2049 | Breadcrumb NavXT | 36 | 102 | 111 | 800k+ | Non Singular String Literal Domain | ||
| #2050 | BuddyMeet | 36 | 114 | 32 | 700 | Unsafe printing function |