WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2301 | Custom Product Tabs Lite for WooCommerce | 75 | 3 | 11 | 4k+ | Input is not validated | ||
| #2302 | Brazilian Market on WooCommerce | 75 | 4 | 51 | 70k+ | Missing nonce verification | ||
| #2303 | Auction Nudge – Your eBay Listings | 76 | 18 | 6 | 1k+ | Missing direct file access protection | ||
| #2304 | PiWeb Cancel order / Refund request for WooCommerce | 76 | 40 | 49 | 2k+ | wp function not compatible with requires wp | ||
| #2305 | Custom Template for LearnDash | 76 | 7 | 9 | 1k+ | Non-prefixed hook name | ||
| #2306 | ABC Crypto Checkout | 76 | 42 | 14 | 1k+ | Text Domain Mismatch | ||
| #2307 | Contact Form 7 Text CAPTCHA | 76 | 14 | 34 | 1k+ | Non-prefixed global variable | ||
| #2308 | Breadcrumbs for WooCommerce | 76 | 14 | 2 | 6k+ | Output is not escaped | ||
| #2309 | WP SAML Auth | 76 | 7 | 25 | 7k+ | Nonce verification recommended | ||
| #2310 | GDPR | 77 | 39 | 121 | 10k+ | Non-prefixed global variable | ||
| #2311 | Simple Floating Menu | 77 | 13 | 3 | 10k+ | Missing direct file access protection | ||
| #2312 | wpsection | 77 | 131 | 554 | 3k+ | Non-prefixed global variable | ||
| #2313 | Animated Text Block – Add Typing and Looping Text Effects | 78 | 5 | 25 | 4k+ | Non-prefixed class | ||
| #2314 | Date Picker For Contact Form 7 | 78 | 3 | 8 | 4k+ | Missing nonce verification | ||
| #2315 | Honeypot Anti-Spam | 78 | 5 | 7 | 10k+ | Missing nonce verification | ||
| #2316 | Nav Menu Images | 78 | 5 | 8 | 6k+ | Missing nonce verification | ||
| #2317 | Coming Soon & Maintenance Mode Page & Under Construction | 78 | 35 | 67 | 10k+ | Non-prefixed global variable | ||
| #2318 | Typing Text – Add Animated Typing Effects to Headings or Text | 78 | 4 | 25 | 3k+ | Non-prefixed class | ||
| #2319 | Manage Privacy Options Page | 79 | 3 | 11 | 1k+ | Input is not validated | ||
| #2320 | SSH SFTP Updater Support | 79 | 6 | 31 | 10k+ | Non-prefixed global variable | ||
| #2321 | Customizer for WooCommerce | 79 | 4 | 6 | 20k+ | Missing nonce verification | ||
| #2322 | Custom Icons for Elementor | 80 | 6 | 25 | 10k+ | Non-prefixed global variable | ||
| #2323 | Password Policy Manager | Password Manager | 80 | 3 | 88 | 6k+ | Non-prefixed global variable | ||
| #2324 | WP Video Popup – WordPress Video Lightbox for YouTube, Rumble & Vimeo | 80 | 5 | 14 | 9k+ | wp function not compatible with requires wp | ||
| #2325 | Blocksy Companion | 81 | 1,069 | 300k+ | Non-prefixed global variable | |||
| #2326 | ElasticPress | 81 | 13 | 655 | 8k+ | Non-prefixed hook name | ||
| #2327 | External Thumbnail | 81 | 6 | 5 | 20k+ | Missing nonce verification | ||
| #2328 | Open in New Window Plugin | 81 | 6 | 8 | 2k+ | Offloaded Content | ||
| #2329 | Payfast Gateway for WooCommerce | 81 | 2 | 18 | 2k+ | Missing nonce verification | ||
| #2330 | Select and Multi-Select Field for Contact Form 7 | 81 | 25 | 12 | 2k+ | Text Domain Mismatch | ||
| #2331 | Orphans | 81 | 1 | 43 | 50k+ | Dynamic hook name | ||
| #2332 | WP Subtitle | 81 | 7 | 33 | 10k+ | Non-prefixed hook name | ||
| #2333 | PixTypes | 82 | 178 | 9k+ | Non-prefixed global variable | |||
| #2334 | Extra Price Fields for Woocommerce- Display extra price info on Woocommerce products | 82 | 6 | 10 | 2k+ | Missing nonce verification | ||
| #2335 | Max upload filesize | 83 | 3 | 8 | 9k+ | Input is not validated | ||
| #2336 | Preserve Editor Scroll Position | 83 | 2 | 6 | 4k+ | Missing nonce verification | ||
| #2337 | Add Descendants As Submenu Items | 84 | 3 | 8 | 2k+ | Missing nonce verification | ||
| #2338 | Change Admin Email | 84 | 4 | 4 | 50k+ | Missing nonce verification | ||
| #2339 | Comments Form Star Rating Plugin for WordPress | 84 | 3 | 10 | 2k+ | Missing nonce verification | ||
| #2340 | Digital Signature For Contact Form 7 | 84 | 22 | 11 | 5k+ | file system operations fwrite | ||
| #2341 | Filterable Portfolio | 84 | 3 | 76 | 1k+ | Non-prefixed global variable | ||
| #2342 | PW WooCommerce Exclude Free Shipping | 84 | 1 | 12 | 1k+ | Missing nonce verification | ||
| #2343 | Safelayout Cute Preloader – CSS3 WordPress Preloader | 84 | 3 | 14 | 10k+ | Input is not validated | ||
| #2344 | Upload SVG | 84 | 3 | 8 | 1k+ | Non-prefixed global variable | ||
| #2345 | Widgets for Google Business Reviews and Ratings | 84 | 2 | 12 | 2k+ | Missing nonce verification | ||
| #2346 | Logo Slider and Showcase | 84 | 2 | 15 | 7k+ | Missing nonce verification | ||
| #2347 | DCO Comment Attachment | 85 | 5 | 5 | 5k+ | Missing nonce verification | ||
| #2348 | reCaptcha Add-On for FormCraft | 85 | 4 | 16 | 7k+ | Missing Version | ||
| #2349 | HSTS Ready | 85 | 3 | 11 | 3k+ | Input is not validated | ||
| #2350 | Ocean Stick Anything | 85 | 6 | 6 | 20k+ | Missing Arg Domain |
