WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2401One Click Order Re-Order38139631k+Non Singular String Literal Domain
#2402OneSignal – Web Push Notifications38536470k+Output is not escaped
#2403Open Graphite383802043k+Unsafe printing function
#2404Ozh' Better Feed384535600Heredoc Output Not Escaped
#2405YAPE A1 Tiendas382443900Missing nonce verification
#2406PDF Catalog for WooCommerce3830461k+Nonce verification recommended
#2407PopCash Code Integration Tool3877109400Nonce verification recommended
#2408Popular Widget386130700Unsafe printing function
#2409Post views Stats3837511k+Non-prefixed global variable
#2410PostLinks3810710700Output is not escaped
#2411qTranslate META388826400Output is not escaped
#2412qTranslate X Cleanup and WPML Import38167102800Text Domain Mismatch
#2413RDP Wiki Embed386926400Output is not escaped
#2414Remove WordPress Overhead3864471k+Text Domain Mismatch
#2415Logo Carousel – Display Brand or Client Logos in Slider3852442800Output is not escaped
#2416Responsive Mailform ( Plugin Version ) – easy, responsive, contact, mailform38120107500Output is not escaped
#2417WP REST API – OAuth 1.0a Server38100858k+Text Domain Mismatch
#2418Like This3860171k+Output is not escaped
#2419RSS Feed Widget38207892k+Unsafe printing function
#2420Invoice1233813988400Text Domain Mismatch
#2421Schema App Structured Data3835867k+Nonce verification recommended
#2422Author Image3851331k+Output is not escaped
#2423Shapely Companion38493910k+Output is not escaped
#2424Simple JWT Login – Allows you to use JWT on REST endpoints.38712954k+Output is not escaped
#2425Simple Keyword to Link3890493k+Non Singular String Literal Domain
#2426SimpleShop3852511k+date date
#2427Slickplan Importer384058400Non-prefixed global variable
#2428Smart Maintenance Mode381371281k+Output is not escaped
#2429Social Icons38728310k+Output is not escaped
#2430SOGO Accessibility38147405k+Non Singular String Literal Domain
#2431Sticky Header Effects for Elementor3824371300k+Text Domain Mismatch
#2432Subscriptions & Memberships for PayPal3873237900Request data is not unslashed
#2433Swiper Js Slider3812535400Output is not escaped
#2434Tag Manager – Header, Body And Footer389731920k+Non-prefixed global variable
#2435Product Compare for WooCommerce38551913k+Non-prefixed global variable
#2436Variation Swatches for WooCommerce3845652k+Output is not escaped
#2437Broadcast38211071k+Direct Query
#2438Trackserver3817356400Input is not sanitized
#2439Plugin Name: Traffic Stats Widget Plugin3869107600Output is not escaped
#2440TRUENDO | GDPR Compliant Cookie Manager389838600Output is not escaped
#2441Twenty Eleven Theme Extensions3835303k+Output is not escaped
#2442Twiget Twitter Widget3814736500Output is not escaped
#2443Twitter for WordPress3847241k+Output is not escaped
#2444TypePad emoji for TinyMCE38100248k+Text Domain Mismatch
#2445Termly – GDPR/CCPA Cookie Consent Banner38549280k+Non-prefixed global variable
#2446Ultimate Member Widgets for Elementor – Login Form, Register Form & User Directory3817110400Non-prefixed namespace
#2447Unconfirmed3820791k+Nonce verification recommended
#2448User Specific Content38143191k+Text Domain Mismatch
#2449FancyTube – Video Gallery, Video Slider, and Playlist Slider for YouTube38358341k+Text Domain Mismatch
#2450Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend3884491k+Output is not escaped