WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #2201 | Team Showcase | 61 | 1 | 125 | 1k+ | slow db query meta key | |
| #2202 | Food Menu – Restaurant Menu & Online Ordering for WooCommerce | 61 | 16 | 1,167 | 3k+ | Non Prefixed Variable Found | |
| #2203 | Two Factor (2FA) Authentication via Email | 61 | 12 | 27 | 9k+ | Missing Unslash | |
| #2204 | WP-CORS | 61 | 7 | 23 | 1k+ | error log error log | |
| #2205 | WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce | 61 | 22 | 74 | 1k+ | Non Prefixed Variable Found | |
| #2206 | Add Meta Tag Keywords | 62 | 6 | 15 | 1k+ | Missing | |
| #2207 | Custom Sidebars by ProteusThemes | 62 | 17 | 23 | 1k+ | Missing | |
| #2208 | MainWP Key Maker | 62 | 3 | 35 | 4k+ | Input Not Sanitized | |
| #2209 | Proofreading | 62 | 11 | 74 | 5k+ | Direct Query | |
| #2210 | Easy SSL Plugin for SAKURA Rental Server | 62 | 23 | 17 | 50k+ | Input Not Sanitized | |
| #2211 | Testimonial Carousel For Elementor | 62 | 34 | 56 | 10k+ | No Html Wrapped Strings | |
| #2212 | WooCommerce Product Fees | 62 | 6 | 25 | 2k+ | Missing | |
| #2213 | XPoster – Share to Bluesky and Mastodon | 62 | 26 | 36 | 10k+ | Missing | |
| #2214 | DW Block User Account | 63 | 6 | 11 | 1k+ | Unsafe Printing Function | |
| #2215 | Category Sticky Post | 63 | 4 | 24 | 3k+ | Missing | |
| #2216 | Christmasify! | 63 | 18 | 7 | 2k+ | Output Not Escaped | |
| #2217 | Classic Editor and Classic Widgets | 63 | 18 | 41 | 20k+ | Recommended | |
| #2218 | Essential Addons for Elementor – Popular Elementor Templates & Widgets | 63 | 78 | 185 | 2m+ | wp function not compatible with requires wp | |
| #2219 | Hide Admin Bar From Front End | 63 | 8 | 17 | 1k+ | Input Not Validated | |
| #2220 | Include Klaviyo for Elementor pro | 63 | 60 | 10 | 2k+ | Missing Arg Domain | |
| #2221 | Mantenimiento web | 63 | 49 | 15 | 20k+ | Text Domain Mismatch | |
| #2222 | Missed Scheduled Posts Publisher by WPBeginner | 63 | 16 | 17 | 30k+ | Text Domain Mismatch | |
| #2223 | Simple Membership After Login Redirection | 63 | 4 | 24 | 10k+ | Missing | |
| #2224 | Phone Validator for WooCommerce | 63 | 8 | 33 | 1k+ | Missing | |
| #2225 | UniqueID for Contact Form 7 | 64 | 21 | 18 | 2k+ | Text Domain Mismatch | |
| #2226 | Download Theme | 64 | 18 | 20 | 4k+ | wp function not compatible with requires wp | |
| #2227 | Estonian Shipping Methods for WooCommerce | 64 | 97 | 16 | 1k+ | Text Domain Mismatch | |
| #2228 | Favicon XT-Manager | 64 | 9 | 12 | 2k+ | Output Not Escaped | |
| #2229 | Inline Related Posts | 64 | 17 | 39 | 100k+ | Recommended | |
| #2230 | Kama SpamBlock | 64 | 29 | 7 | 5k+ | Echo Found | |
| #2231 | Moosend Website Connector | 64 | 15 | 12 | 1k+ | Non Singular String Literal Domain | |
| #2232 | MultiSafepay plugin for WooCommerce | 64 | 13 | 35 | 2k+ | Missing | |
| #2233 | Stag Custom Sidebars | 64 | 10 | 12 | 2k+ | Text Domain Mismatch | |
| #2234 | Oceanwp sticky header | 64 | 8 | 13 | 10k+ | Missing | |
| #2235 | 64 | 27 | 23 | 9k+ | Missing Translators Comment | ||
| #2236 | JTL-Connector for WooCommerce | 64 | 7 | 166 | 1k+ | Direct Query | |
| #2237 | WP Term Order | 64 | 2 | 26 | 6k+ | Recommended | |
| #2238 | Featured Galleries | 65 | 15 | 10 | 3k+ | Output Not Escaped | |
| #2239 | HTACCESS IP Blocker | 65 | 5 | 14 | 3k+ | Missing | |
| #2240 | MW WP Form reCAPTCHA | 65 | 11 | 14 | 2k+ | Input Not Sanitized | |
| #2241 | FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration | 66 | 26 | 30 | 6k+ | missing direct file access protection | |
| #2242 | Page Title Splitter | 66 | 29 | 8 | 1k+ | wp function not compatible with requires wp | |
| #2243 | Raw HTML | 66 | 17 | 35 | 10k+ | Non Prefixed Function Found | |
| #2244 | User Profile Picture | 66 | 9 | 8 | 4k+ | Missing | |
| #2245 | Frenet Shipping Gateway for WooCommerce – Correios, Etiquetas e Rastreio | 66 | 22 | 31 | 4k+ | Non Prefixed Variable Found | |
| #2246 | WP Term Images | 66 | 4 | 18 | 2k+ | Recommended | |
| #2247 | Awesome Contact Form7 for Elementor | 67 | 20 | 30 | 7k+ | Non Prefixed Variable Found | |
| #2248 | Breadcrumbs Divi Module | 67 | 44 | 38 | 10k+ | Text Domain Mismatch | |
| #2249 | Caddy – WooCommerce Side Cart & Free Shipping Bar | 67 | 38 | 199 | 4k+ | Non Prefixed Variable Found | |
| #2250 | Leadster | 67 | 6 | 10 | 4k+ | Missing Unslash |
