WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2101Gutena Kit – Gutenberg Blocks and Templates3639871k+Nonce verification recommended
#2102Header Footer Script Adder – Insert Code in Header, Body & Footer36203781k+Text Domain Mismatch
#2103Header Footer Code Manager3681180600k+Non-prefixed global variable
#2104Optimize Social Share36203613k+Unsafe printing function
#2105HTML Forms – Simple WordPress Forms Plugin3623116610k+Output is not escaped
#2106HTTP Requests Manager3698901k+Output is not escaped
#2107Image Watermark367617940k+Missing nonce verification
#2108Insert Headers and Footers Code – HT Script36391347k+Text Domain Mismatch
#2109IntelliWidget Per Page Custom Menus and Dynamic Content36586162600Output is not escaped
#2110Just TinyMCE Custom Styles36112281k+Missing Arg Domain
#2111Lara's Google Analytics (GA4)36303579k+Unsafe printing function
#2112Legal Text Connector of the IT-Recht Kanzlei36454610k+Exception output is not escaped
#2113Libro de Reclamaciones y Quejas362661244k+Text Domain Mismatch
#2114Linkable Title Html and Php Widget3610831600Output is not escaped
#2115LONG URL MAKER3639711k+Direct Query
#2116LocalWeb All In One36342975k+Non-prefixed global variable
#2117Manage Notification E-mails3612998100k+Non-prefixed function
#2118Materialis Companion36129676k+Unsafe printing function
#2119Media Deduper3660999k+Missing Arg Domain
#2120Microsoft Clarity3648163200k+Nonce verification recommended
#2121Motors VIN Decoder368788500Output is not escaped
#2122News Manager3613457600Output is not escaped
#2123News Ticker for Elementor3676572k+Text Domain Mismatch
#2124NextGEN Custom Fields362151311k+SQL query is not prepared
#2125MailerLite – Signup forms (official)36430158100k+Output is not escaped
#2126We’re Open!362731875k+Unsafe printing function
#2127Ozh' Admin Drop Down Menu36125433k+Output is not escaped
#2128PayTR Sanal POS WooCommerce – iFrame API361175410k+Output is not escaped
#2129PDF Forms Filler for CF736185793k+Text Domain Mismatch
#2130PDF Forms Filler for WPForms3616154600Text Domain Mismatch
#2131Peter’s Post Notes362241023k+Output is not escaped
#2132Photonic Gallery & Lightbox for Flickr, SmugMug & Others3618016310k+Missing Translators Comment
#2133Plugins Garbage Collector (Database Cleanup)36325110k+Missing nonce verification
#2134Post Views Stats Counter36142241700Non-prefixed global variable
#2135WowStore – Store Builder & Product Blocks for WooCommerce36664294k+Non-prefixed global variable
#2136افزونه رسمی ترب36428620k+Exception output is not escaped
#2137Qubely – Advanced Gutenberg Blocks3639788k+Request data is not unslashed
#2138Quick 301 Redirects36891205k+Non-prefixed global variable
#2139Direct Checkout – Quick View – Buy Now For WooCommerce36901122k+Missing nonce verification
#2140QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly361721088k+Non Singular String Literal Domain
#2141Rara One Click Demo Import361229820k+Missing Translators Comment
#2142Better Find and Replace – AI-Powered Suggestions366712940k+Missing direct file access protection
#2143Recent Posts3610630500Text Domain Mismatch
#2144Search & Replace365053100k+Missing nonce verification
#2145Search Everything361657710k+Text Domain Mismatch
#2146ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution3663667100k+Non-prefixed global variable
#2147SMTP for SendGrid – YaySMTP3627961k+Non-prefixed global variable
#2148StaticPress368879500Output is not escaped
#2149Subscribe to Comments3612916310k+Output is not escaped
#2150Supplier Order Email3654105400Output is not escaped