WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2401 | One Click Order Re-Order | 38 | 139 | 63 | 1k+ | Non Singular String Literal Domain | ||
| #2402 | OneSignal – Web Push Notifications | 38 | 53 | 64 | 70k+ | Output is not escaped | ||
| #2403 | Open Graphite | 38 | 380 | 204 | 3k+ | Unsafe printing function | ||
| #2404 | Ozh' Better Feed | 38 | 45 | 35 | 600 | Heredoc Output Not Escaped | ||
| #2405 | YAPE A1 Tiendas | 38 | 24 | 43 | 900 | Missing nonce verification | ||
| #2406 | PDF Catalog for WooCommerce | 38 | 30 | 46 | 1k+ | Nonce verification recommended | ||
| #2407 | PopCash Code Integration Tool | 38 | 77 | 109 | 400 | Nonce verification recommended | ||
| #2408 | Popular Widget | 38 | 61 | 30 | 700 | Unsafe printing function | ||
| #2409 | Post views Stats | 38 | 37 | 51 | 1k+ | Non-prefixed global variable | ||
| #2410 | PostLinks | 38 | 107 | 10 | 700 | Output is not escaped | ||
| #2411 | qTranslate META | 38 | 88 | 26 | 400 | Output is not escaped | ||
| #2412 | qTranslate X Cleanup and WPML Import | 38 | 167 | 102 | 800 | Text Domain Mismatch | ||
| #2413 | RDP Wiki Embed | 38 | 69 | 26 | 400 | Output is not escaped | ||
| #2414 | Remove WordPress Overhead | 38 | 64 | 47 | 1k+ | Text Domain Mismatch | ||
| #2415 | Logo Carousel – Display Brand or Client Logos in Slider | 38 | 524 | 42 | 800 | Output is not escaped | ||
| #2416 | Responsive Mailform ( Plugin Version ) – easy, responsive, contact, mailform | 38 | 120 | 107 | 500 | Output is not escaped | ||
| #2417 | WP REST API – OAuth 1.0a Server | 38 | 100 | 85 | 8k+ | Text Domain Mismatch | ||
| #2418 | Like This | 38 | 60 | 17 | 1k+ | Output is not escaped | ||
| #2419 | RSS Feed Widget | 38 | 207 | 89 | 2k+ | Unsafe printing function | ||
| #2420 | Invoice123 | 38 | 139 | 88 | 400 | Text Domain Mismatch | ||
| #2421 | Schema App Structured Data | 38 | 35 | 86 | 7k+ | Nonce verification recommended | ||
| #2422 | Author Image | 38 | 51 | 33 | 1k+ | Output is not escaped | ||
| #2423 | Shapely Companion | 38 | 49 | 39 | 10k+ | Output is not escaped | ||
| #2424 | Simple JWT Login – Allows you to use JWT on REST endpoints. | 38 | 712 | 95 | 4k+ | Output is not escaped | ||
| #2425 | Simple Keyword to Link | 38 | 90 | 49 | 3k+ | Non Singular String Literal Domain | ||
| #2426 | SimpleShop | 38 | 52 | 51 | 1k+ | date date | ||
| #2427 | Slickplan Importer | 38 | 40 | 58 | 400 | Non-prefixed global variable | ||
| #2428 | Smart Maintenance Mode | 38 | 137 | 128 | 1k+ | Output is not escaped | ||
| #2429 | Social Icons | 38 | 72 | 83 | 10k+ | Output is not escaped | ||
| #2430 | SOGO Accessibility | 38 | 147 | 40 | 5k+ | Non Singular String Literal Domain | ||
| #2431 | Sticky Header Effects for Elementor | 38 | 243 | 71 | 300k+ | Text Domain Mismatch | ||
| #2432 | Subscriptions & Memberships for PayPal | 38 | 73 | 237 | 900 | Request data is not unslashed | ||
| #2433 | Swiper Js Slider | 38 | 125 | 35 | 400 | Output is not escaped | ||
| #2434 | Tag Manager – Header, Body And Footer | 38 | 97 | 319 | 20k+ | Non-prefixed global variable | ||
| #2435 | Product Compare for WooCommerce | 38 | 55 | 191 | 3k+ | Non-prefixed global variable | ||
| #2436 | Variation Swatches for WooCommerce | 38 | 45 | 65 | 2k+ | Output is not escaped | ||
| #2437 | Broadcast | 38 | 21 | 107 | 1k+ | Direct Query | ||
| #2438 | Trackserver | 38 | 17 | 356 | 400 | Input is not sanitized | ||
| #2439 | Plugin Name: Traffic Stats Widget Plugin | 38 | 69 | 107 | 600 | Output is not escaped | ||
| #2440 | TRUENDO | GDPR Compliant Cookie Manager | 38 | 98 | 38 | 600 | Output is not escaped | ||
| #2441 | Twenty Eleven Theme Extensions | 38 | 35 | 30 | 3k+ | Output is not escaped | ||
| #2442 | Twiget Twitter Widget | 38 | 147 | 36 | 500 | Output is not escaped | ||
| #2443 | Twitter for WordPress | 38 | 47 | 24 | 1k+ | Output is not escaped | ||
| #2444 | TypePad emoji for TinyMCE | 38 | 100 | 24 | 8k+ | Text Domain Mismatch | ||
| #2445 | Termly – GDPR/CCPA Cookie Consent Banner | 38 | 54 | 92 | 80k+ | Non-prefixed global variable | ||
| #2446 | Ultimate Member Widgets for Elementor – Login Form, Register Form & User Directory | 38 | 17 | 110 | 400 | Non-prefixed namespace | ||
| #2447 | Unconfirmed | 38 | 20 | 79 | 1k+ | Nonce verification recommended | ||
| #2448 | User Specific Content | 38 | 143 | 19 | 1k+ | Text Domain Mismatch | ||
| #2449 | FancyTube – Video Gallery, Video Slider, and Playlist Slider for YouTube | 38 | 358 | 34 | 1k+ | Text Domain Mismatch | ||
| #2450 | Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend | 38 | 84 | 49 | 1k+ | Output is not escaped |