WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #2251 | onOffice for WP-Websites | 67 | 5 | 507 | 1k+ | Non Prefixed Variable Found | |
| #2252 | Product Variations Swatches for WooCommerce | 67 | 8 | 136 | 10k+ | Non Prefixed Variable Found | |
| #2253 | Team Section Block – Showcase Team Members with Layout Options | 67 | 6 | 38 | 1k+ | Non Prefixed Namespace Found | |
| #2254 | Theme Check | 67 | 143 | 6 | 20k+ | Missing Translators Comment | |
| #2255 | WP Image Zoom | 67 | 30 | 46 | 10k+ | Non Prefixed Variable Found | |
| #2256 | WP Post Branches | 67 | 16 | 12 | 4k+ | Output Not Escaped | |
| #2257 | WPC Show Single Variations for WooCommerce | 67 | 5 | 31 | 1k+ | Recommended | |
| #2258 | Controls for Contact Form 7 (Redirects, Analytics & Tracking) | 68 | 4 | 14 | 10k+ | Missing | |
| #2259 | SKT Page Builder | 68 | 15 | 49 | 2k+ | Missing | |
| #2260 | WP and Divi Icons | 68 | 201 | 56 | 2k+ | wp function not compatible with requires wp | |
| #2261 | Age Gate | 69 | 61 | 139 | 40k+ | missing direct file access protection | |
| #2262 | Automatic Domain Changer | 69 | 37 | 14 | 10k+ | Text Domain Mismatch | |
| #2263 | Contact Form 7 | 69 | 56 | 39 | 10m+ | missing direct file access protection | |
| #2264 | CryptX | 69 | 11 | 30 | 10k+ | Missing | |
| #2265 | Custom Archive Titles | 69 | 39 | 4 | 2k+ | Output Not Escaped | |
| #2266 | Custom Category Template | 69 | 13 | 8 | 2k+ | Missing Arg Domain | |
| #2267 | Custom Login URL | 69 | 16 | 17 | 1k+ | Missing Arg Domain | |
| #2268 | Disable Users | 69 | 11 | 9 | 2k+ | Text Domain Mismatch | |
| #2269 | Easy Auto Reload – Auto Refresh | 69 | 37 | 12 | 1k+ | Text Domain Mismatch | |
| #2270 | GDPR Compliance for Mailchimp | 69 | 7 | 15 | 2k+ | Missing | |
| #2271 | Falcon – WordPress Optimizations & Tweaks | 69 | 29 | 21 | 2k+ | Echo Found | |
| #2272 | Add Widget After Content | 70 | 6 | 11 | 7k+ | register setting Missing | |
| #2273 | Points and Rewards for WooCommerce | 70 | 6 | 14 | 7k+ | Recommended | |
| #2274 | Search and Replace | 70 | 7 | 9 | 10k+ | Input Not Sanitized | |
| #2275 | Simple Login Captcha | 70 | 20 | 19 | 10k+ | date date | |
| #2276 | SQL Executioner | 70 | 18 | 17 | 2k+ | Non Prefixed Variable Found | |
| #2277 | Cart All In One For WooCommerce | 70 | 6 | 150 | 6k+ | Non Prefixed Variable Found | |
| #2278 | aapanel WP Toolkit | 71 | 20 | 18 | 2k+ | wp function not compatible with requires wp | |
| #2279 | Another Mailchimp Widget | 71 | 28 | 17 | 5k+ | Missing Translators Comment | |
| #2280 | Contact Form 7 Confirm Email Field | 71 | 35 | 11 | 2k+ | Text Domain Mismatch | |
| #2281 | Multiple Roles | 71 | 7 | 20 | 5k+ | Non Prefixed Variable Found | |
| #2282 | Privyr CRM – Instant Lead Alerts for Contact Forms | 71 | 2 | 25 | 4k+ | Non Prefixed Function Found | |
| #2283 | Multi-Step Checkout for WooCommerce | 71 | 38 | 104 | 8k+ | Non Prefixed Variable Found | |
| #2284 | Disable Title | 72 | 20 | 15 | 2k+ | Text Domain Mismatch | |
| #2285 | Getsitecontrol — Email Marketing Plugin | Popup Maker, Automations & Newsletters | 72 | 17 | 11 | 1k+ | wp function not compatible with requires wp | |
| #2286 | Product Subtitle For WooCommerce | 72 | 6 | 36 | 3k+ | Non Prefixed Namespace Found | |
| #2287 | WooCommerce Shipping | 72 | 47 | 70k+ | Direct Query | ||
| #2288 | Continue Shopping for WooCommerce | 73 | 9 | 20 | 5k+ | Input Not Sanitized | |
| #2289 | EmailKit – Email Customizer for WooCommerce & WP | 73 | 18 | 81 | 70k+ | slow db query meta query | |
| #2290 | Multifile Upload Field for Contact Form 7 | 73 | 41 | 7 | 5k+ | Text Domain Mismatch | |
| #2291 | NETOPIA Payments Payment Gateway | 73 | 3 | 31 | 10k+ | Missing | |
| #2292 | Cálculo do frete somente com o CEP – WC Brasil | 74 | 13 | 24 | 1k+ | Non Prefixed Function Found | |
| #2293 | RD Station | 74 | 2 | 67 | 20k+ | Non Prefixed Variable Found | |
| #2294 | Keon Toolset | 74 | 4 | 28 | 30k+ | Non Prefixed Function Found | |
| #2295 | Multiple Admin Email Addresses | 74 | 7 | 4 | 1k+ | Missing | |
| #2296 | Zion Builder – Website Builder for Speed & Creativity | 74 | 4 | 29 | 1k+ | Non Prefixed Hookname Found | |
| #2297 | Force First and Last Name as Display Name | 75 | 5 | 12 | 2k+ | Missing | |
| #2298 | List all URLs | 75 | 8 | 5 | 5k+ | Missing | |
| #2299 | Options Framework | 75 | 8 | 56 | 10k+ | Non Prefixed Function Found | |
| #2300 | Custom Product Tabs Lite for WooCommerce | 75 | 3 | 11 | 4k+ | Input Not Validated |
