WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2051Bulk Post Update Date36966610k+Unsafe printing function
#2052Bus Ticket Booking with Seat Reservation36145192800Non-prefixed global variable
#2053Better WordPress Recent Comments3631969600Text Domain Mismatch
#2054Carousel Ultimate36450284700Text Domain Mismatch
#2055Carousel Horizontal Posts Content Slider36271592k+Text Domain Mismatch
#2056Simple SEO3616411310k+Non Singular String Literal Domain
#2057Contact Form 7 Gated Content3612236800Short PHP open tag found
#2058Multi Step for Contact Form 7366110610k+Missing nonce verification
#2059Contact Form 7 Polylang Module3632455k+Output is not escaped
#2060CloudPayments Gateway for WooCommerce3620570500Text Domain Mismatch
#2061CLP – Custom Login Page by NiteoThemes3624049700Output is not escaped
#2062CM Header and Footer – Add custom scripts and styles to your header and footer with ease362301981k+Output is not escaped
#2063Code Snippets36342031m+Nonce verification recommended
#2064Coming Soon, Under Construction & Maintenance Mode By Dazzler361731327k+Text Domain Mismatch
#2065Conditional Payments for WooCommerce3629218410k+Text Domain Mismatch
#2066Conditional Shipping for WooCommerce369319610k+Non-prefixed global variable
#2067Constant Contact Forms36398920k+Missing nonce verification
#2068Continuous Image Carousel With Lightbox362551291k+Output is not escaped
#2069CP Blocks3646381k+wp function not compatible with requires wp
#2070Crelly Slider3642118510k+Unsafe printing function
#2071CSH Login3612641500Output is not escaped
#2072Custom Database Applications by Caspio363263400Input is not sanitized
#2073Custom Category Post Order368083500Text Domain Mismatch
#2074Database Collation Fix3650321k+Output is not escaped
#2075Depicter — Popup & Slider Builder3613012180k+Exception output is not escaped
#2076Desktop Mode3615792k+Direct Query
#2077DeveloPress Sticky Footer Bar3616549400Output is not escaped
#2078Different Menu in Different Pages – Conditional Menu361671134k+Text Domain Mismatch
#2079Doneren met Mollie364203514k+SQL query is not prepared
#2080Drag and Drop Multiple File Upload for Contact Form 736823660k+wp function not compatible with requires wp
#2081Duplicate Post – duplicate pages, copy content, clone posts3671815k+wp function not compatible with requires wp
#2082Dynamic Copyright Year3697243800Output is not escaped
#2083Dynamic Front-End Heartbeat Control362171111k+Text Domain Mismatch
#2084Dynamic Visibility for Elementor36568950k+Non-prefixed hook name
#2085WP CTA – Call Now Button, Sticky Button & Call to Action Builder3614332k+Non-prefixed global variable
#2086Easy Support Videos – Embed videos in the admin3616095500Output is not escaped
#2087Product Carousel Slider for Elementor36148631k+Text Domain Mismatch
#2088Email Before Download3689296k+Unsafe printing function
#2089Endora3653721k+Output is not escaped
#2090Enhanced Media Library3636111760k+Unsafe printing function
#2091Enormail Sign Up Forms36133126400Output is not escaped
#2092Envo's Templates & Widgets for Elementor and WooCommerce361,0655410k+Text Domain Mismatch
#2093Events Manager and WPML Compatibility361011771k+Direct Query
#2094Happy WooCommerce FAQs – Ultimate Product FAQ Plugin36651191k+Nonce verification recommended
#2095FreePay for WooCommerce36114102400Output is not escaped
#2096GetPaid > Wallet36149174700Text Domain Mismatch
#2097Google SEO Pressor for Rich snippets3651160400Missing nonce verification
#2098Google Webfont Optimizer364549700Output is not escaped
#2099Gutena Kit – Gutenberg Blocks and Templates3639871k+Nonce verification recommended
#2100Header Footer Script Adder – Insert Code in Header, Body & Footer36203781k+Text Domain Mismatch