WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2101 | Gutena Kit – Gutenberg Blocks and Templates | 36 | 39 | 87 | 1k+ | Nonce verification recommended | ||
| #2102 | Header Footer Script Adder – Insert Code in Header, Body & Footer | 36 | 203 | 78 | 1k+ | Text Domain Mismatch | ||
| #2103 | Header Footer Code Manager | 36 | 81 | 180 | 600k+ | Non-prefixed global variable | ||
| #2104 | Optimize Social Share | 36 | 203 | 61 | 3k+ | Unsafe printing function | ||
| #2105 | HTML Forms – Simple WordPress Forms Plugin | 36 | 231 | 166 | 10k+ | Output is not escaped | ||
| #2106 | HTTP Requests Manager | 36 | 98 | 90 | 1k+ | Output is not escaped | ||
| #2107 | Image Watermark | 36 | 76 | 179 | 40k+ | Missing nonce verification | ||
| #2108 | Insert Headers and Footers Code – HT Script | 36 | 391 | 34 | 7k+ | Text Domain Mismatch | ||
| #2109 | IntelliWidget Per Page Custom Menus and Dynamic Content | 36 | 586 | 162 | 600 | Output is not escaped | ||
| #2110 | Just TinyMCE Custom Styles | 36 | 112 | 28 | 1k+ | Missing Arg Domain | ||
| #2111 | Lara's Google Analytics (GA4) | 36 | 303 | 57 | 9k+ | Unsafe printing function | ||
| #2112 | Legal Text Connector of the IT-Recht Kanzlei | 36 | 45 | 46 | 10k+ | Exception output is not escaped | ||
| #2113 | Libro de Reclamaciones y Quejas | 36 | 266 | 124 | 4k+ | Text Domain Mismatch | ||
| #2114 | Linkable Title Html and Php Widget | 36 | 108 | 31 | 600 | Output is not escaped | ||
| #2115 | LONG URL MAKER | 36 | 39 | 71 | 1k+ | Direct Query | ||
| #2116 | LocalWeb All In One | 36 | 34 | 297 | 5k+ | Non-prefixed global variable | ||
| #2117 | Manage Notification E-mails | 36 | 129 | 98 | 100k+ | Non-prefixed function | ||
| #2118 | Materialis Companion | 36 | 129 | 67 | 6k+ | Unsafe printing function | ||
| #2119 | Media Deduper | 36 | 60 | 99 | 9k+ | Missing Arg Domain | ||
| #2120 | Microsoft Clarity | 36 | 48 | 163 | 200k+ | Nonce verification recommended | ||
| #2121 | Motors VIN Decoder | 36 | 87 | 88 | 500 | Output is not escaped | ||
| #2122 | News Manager | 36 | 134 | 57 | 600 | Output is not escaped | ||
| #2123 | News Ticker for Elementor | 36 | 76 | 57 | 2k+ | Text Domain Mismatch | ||
| #2124 | NextGEN Custom Fields | 36 | 215 | 131 | 1k+ | SQL query is not prepared | ||
| #2125 | MailerLite – Signup forms (official) | 36 | 430 | 158 | 100k+ | Output is not escaped | ||
| #2126 | We’re Open! | 36 | 273 | 187 | 5k+ | Unsafe printing function | ||
| #2127 | Ozh' Admin Drop Down Menu | 36 | 125 | 43 | 3k+ | Output is not escaped | ||
| #2128 | PayTR Sanal POS WooCommerce – iFrame API | 36 | 117 | 54 | 10k+ | Output is not escaped | ||
| #2129 | PDF Forms Filler for CF7 | 36 | 185 | 79 | 3k+ | Text Domain Mismatch | ||
| #2130 | PDF Forms Filler for WPForms | 36 | 161 | 54 | 600 | Text Domain Mismatch | ||
| #2131 | Peter’s Post Notes | 36 | 224 | 102 | 3k+ | Output is not escaped | ||
| #2132 | Photonic Gallery & Lightbox for Flickr, SmugMug & Others | 36 | 180 | 163 | 10k+ | Missing Translators Comment | ||
| #2133 | Plugins Garbage Collector (Database Cleanup) | 36 | 32 | 51 | 10k+ | Missing nonce verification | ||
| #2134 | Post Views Stats Counter | 36 | 142 | 241 | 700 | Non-prefixed global variable | ||
| #2135 | WowStore – Store Builder & Product Blocks for WooCommerce | 36 | 66 | 429 | 4k+ | Non-prefixed global variable | ||
| #2136 | افزونه رسمی ترب | 36 | 42 | 86 | 20k+ | Exception output is not escaped | ||
| #2137 | Qubely – Advanced Gutenberg Blocks | 36 | 39 | 78 | 8k+ | Request data is not unslashed | ||
| #2138 | Quick 301 Redirects | 36 | 89 | 120 | 5k+ | Non-prefixed global variable | ||
| #2139 | Direct Checkout – Quick View – Buy Now For WooCommerce | 36 | 90 | 112 | 2k+ | Missing nonce verification | ||
| #2140 | QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | 36 | 172 | 108 | 8k+ | Non Singular String Literal Domain | ||
| #2141 | Rara One Click Demo Import | 36 | 122 | 98 | 20k+ | Missing Translators Comment | ||
| #2142 | Better Find and Replace – AI-Powered Suggestions | 36 | 67 | 129 | 40k+ | Missing direct file access protection | ||
| #2143 | Recent Posts | 36 | 106 | 30 | 500 | Text Domain Mismatch | ||
| #2144 | Search & Replace | 36 | 50 | 53 | 100k+ | Missing nonce verification | ||
| #2145 | Search Everything | 36 | 165 | 77 | 10k+ | Text Domain Mismatch | ||
| #2146 | ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution | 36 | 63 | 667 | 100k+ | Non-prefixed global variable | ||
| #2147 | SMTP for SendGrid – YaySMTP | 36 | 27 | 96 | 1k+ | Non-prefixed global variable | ||
| #2148 | StaticPress | 36 | 88 | 79 | 500 | Output is not escaped | ||
| #2149 | Subscribe to Comments | 36 | 129 | 163 | 10k+ | Output is not escaped | ||
| #2150 | Supplier Order Email | 36 | 54 | 105 | 400 | Output is not escaped |