WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #2151 | JetWidgets For Elementor | 55 | 99 | 274 | 10k+ | Non Prefixed Variable Found | |
| #2152 | Landingi Landing Pages | 55 | 18 | 23 | 2k+ | Input Not Sanitized | |
| #2153 | LoginPress | wp-login Custom Login Page Customizer | 55 | 124 | 301 | 200k+ | Non Prefixed Function Found | |
| #2154 | Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More | 55 | 44 | 64 | 7k+ | Text Domain Mismatch | |
| #2155 | VS Contact Form | 55 | 3 | 318 | 7k+ | Non Prefixed Variable Found | |
| #2156 | VK Block Patterns | 55 | 8 | 61 | 100k+ | Non Prefixed Function Found | |
| #2157 | WP Ultimate Review | 55 | 23 | 381 | 70k+ | Non Prefixed Variable Found | |
| #2158 | Advanced Floating Content Lite | 56 | 88 | 49 | 7k+ | Text Domain Mismatch | |
| #2159 | Jquery Validation For Contact Form 7 | 56 | 18 | 19 | 9k+ | missing direct file access protection | |
| #2160 | Kwayy HTML Sitemap | 56 | 13 | 19 | 6k+ | Missing | |
| #2161 | LearnPress – Course Wishlist | 56 | 35 | 22 | 20k+ | Output Not Escaped | |
| #2162 | MAS Brands for WooCommerce | 56 | 80 | 15 | 10k+ | Text Domain Mismatch | |
| #2163 | Seed Social | 56 | 36 | 7 | 6k+ | Output Not Escaped | |
| #2164 | Export & Import WPBakery Page Builder | 56 | 12 | 20 | 9k+ | Missing | |
| #2165 | Cache-Control | 57 | 26 | 4 | 1k+ | Output Not Escaped | |
| #2166 | Hide Admin Notices | 57 | 9 | 16 | 20k+ | Input Not Sanitized | |
| #2167 | Public Post Preview | 57 | 8 | 11 | 100k+ | Recommended | |
| #2168 | Remove admin menus by role | 57 | 5 | 54 | 8k+ | Input Not Validated | |
| #2169 | Search Exclude | 57 | 73 | 40 | 50k+ | Text Domain Mismatch | |
| #2170 | Timologia for WooCommerce | 57 | 75 | 22 | 3k+ | Text Domain Mismatch | |
| #2171 | WPC Product Quantity for WooCommerce | 57 | 14 | 48 | 2k+ | Non Prefixed Variable Found | |
| #2172 | Basic User Avatars | 58 | 17 | 7 | 20k+ | Output Not Escaped | |
| #2173 | Error Log Viewer by BestWebSoft | 58 | 433 | 172 | 6k+ | Text Domain Mismatch | |
| #2174 | Houzez WooCommerce Addon | 58 | 22 | 21 | 4k+ | Missing Translators Comment | |
| #2175 | SportsPress for Basketball | 58 | 104 | 34 | 1k+ | Text Domain Mismatch | |
| #2176 | SportsPress for Football (Soccer) | 58 | 107 | 34 | 6k+ | Text Domain Mismatch | |
| #2177 | Business Reviews – Display Customer Reviews from Popular Sites | 59 | 10 | 31 | 1k+ | Non Prefixed Class Found | |
| #2178 | Disabled Source, Disabled Right Click and Content Protection | 59 | 6 | 33 | 10k+ | Recommended | |
| #2179 | File Upload For WPForms – Filenzo | 59 | 8 | 16 | 1k+ | Output Not Escaped | |
| #2180 | GDPR Data Request Form | 59 | 22 | 19 | 6k+ | missing direct file access protection | |
| #2181 | Getty Images | 59 | 11 | 46 | 2k+ | Missing | |
| #2182 | HTTP Headers | 59 | 20 | 43 | 50k+ | Recommended | |
| #2183 | JetSticky For Elementor | 59 | 13 | 38 | 30k+ | Recommended | |
| #2184 | Lazy Loader | 59 | 6 | 24 | 9k+ | Recommended | |
| #2185 | Side Menu Lite – Sticky Floating Side Menu | 59 | 9 | 123 | 7k+ | Non Prefixed Variable Found | |
| #2186 | Payment Gateway for LiqPay for Woocommerce | 59 | 84 | 31 | 1k+ | Text Domain Mismatch | |
| #2187 | GST Invoice for WooCommerce | 59 | 10 | 42 | 1k+ | Missing | |
| #2188 | RevivePress – Keep your Old Content Evergreen | 59 | 27 | 46 | 5k+ | date date | |
| #2189 | WPML Widgets | 59 | 9 | 9 | 9k+ | Unsafe Printing Function | |
| #2190 | Contact Form 7 – Phone mask field | 60 | 21 | 7 | 20k+ | Unsafe Printing Function | |
| #2191 | Contact Form 7 Modules | 60 | 47 | 15 | 5k+ | Text Domain Mismatch | |
| #2192 | Discount Rules for WooCommerce – Disco | Dynamic Pricing, Conditions, Bulk, Bundle, BOGO | 60 | 58 | 1k+ | Missing Unslash | ||
| #2193 | Freshchat | 60 | 16 | 10 | 1k+ | Output Not Escaped | |
| #2194 | MultiStep Checkout for WooCommerce | 60 | 46 | 57 | 4k+ | Non Singular String Literal Text | |
| #2195 | WoowGallery | 60 | 15 | 178 | 1k+ | Non Prefixed Variable Found | |
| #2196 | WPB Popup for Contact Form 7 – Showing Contact Form 7 Popup on Button Click | 60 | 21 | 9 | 6k+ | Output Not Escaped | |
| #2197 | Disable Right Click For WP | 61 | 15 | 12 | 10k+ | Missing | |
| #2198 | Multiple Post Passwords | 61 | 13 | 15 | 2k+ | Output Not Escaped | |
| #2199 | Qikink Print On Demand and DropShipping | 61 | 14 | 23 | 1k+ | Input Not Validated | |
| #2200 | SHK Hide Title | 61 | 19 | 4 | 3k+ | Output Not Escaped |
