WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2651 | 404 Notifier | 40 | 39 | 41 | 700 | Output is not escaped | ||
| #2652 | AccessibleWP – ALT Detector | 40 | 55 | 14 | 500 | Text Domain Mismatch | ||
| #2653 | ACF to Custom Database Tables | 40 | 36 | 64 | 600 | Nonce verification recommended | ||
| #2654 | Add Pinterest conversion tags for Pinterest Ads + Site verification | 40 | 88 | 26 | 1k+ | Output is not escaped | ||
| #2655 | Subscribe Button by AddToAny | 40 | 93 | 47 | 900 | Output is not escaped | ||
| #2656 | Advanced Admin Search | 40 | 79 | 48 | 600 | Non Singular String Literal Text | ||
| #2657 | Advanced Country Blocker | 40 | 23 | 77 | 2k+ | Exception output is not escaped | ||
| #2658 | Advanced Custom Fields: Font Awesome Field | 40 | 332 | 70 | 90k+ | Text Domain Mismatch | ||
| #2659 | Advanced WooCommerce Product Gallery Slider | 40 | 42 | 48 | 3k+ | Non-prefixed global variable | ||
| #2660 | AgreeMe Checkboxes For WooCommerce | 40 | 88 | 44 | 600 | Text Domain Mismatch | ||
| #2661 | Allow Multiple Accounts | 40 | 115 | 19 | 9k+ | Non Singular String Literal Domain | ||
| #2662 | Alt Magic: AI Image Alt Text Generator for WP & Image Rename | 40 | 55 | 118 | 1k+ | Direct Query | ||
| #2663 | amCharts: Charts and Maps | 40 | 263 | 113 | 2k+ | Text Domain Mismatch | ||
| #2664 | Analytics Cat – Google Analytics Made Easy | 40 | 83 | 27 | 6k+ | Text Domain Mismatch | ||
| #2665 | Athemes Toolbox | 40 | 254 | 58 | 3k+ | Text Domain Mismatch | ||
| #2666 | Autocomplete LearnDash Lessons and Topics | 40 | 46 | 16 | 1k+ | Missing Arg Domain | ||
| #2667 | Mastodon Autopost | 40 | 41 | 50 | 800 | Output is not escaped | ||
| #2668 | AxiaChat AI – Free AI Chatbot (Answers Customers Automatically) | 40 | 2 | 135 | 2k+ | Interpolated SQL is not prepared | ||
| #2669 | Back To The Top Button | 40 | 31 | 271 | 4k+ | Non-prefixed global variable | ||
| #2670 | Bangladeshi Payment Gateways – Make Payment Using QR Code | 40 | 40 | 36 | 5k+ | Output is not escaped | ||
| #2671 | Basic Interactive World Map | 40 | 94 | 54 | 1k+ | Text Domain Mismatch | ||
| #2672 | Better Internal Link Search | 40 | 23 | 48 | 1k+ | strip tags strip tags | ||
| #2673 | BH Custom CSS3 Preloader – Just play and play | 40 | 439 | 26 | 900 | Text Domain Mismatch | ||
| #2674 | Billingo Official for WooCommerce | 40 | 26 | 37 | 3k+ | Output is not escaped | ||
| #2675 | Black Studio TinyMCE Widget | 40 | 39 | 28 | 200k+ | Output is not escaped | ||
| #2676 | Bubble Menu – Floating Button Menu with Sticky Navigation | 40 | 2 | 216 | 1k+ | Nonce verification recommended | ||
| #2677 | Bulk Featured Image | 40 | 69 | 117 | 800 | Output is not escaped | ||
| #2678 | Bulk Move | 40 | 85 | 44 | 9k+ | Unsafe printing function | ||
| #2679 | Buy one Get one Free – BOGO discount rule maker for WooCommerce | 40 | 119 | 57 | 400 | Text Domain Mismatch | ||
| #2680 | Custom Cart Link for WooCommerce | 40 | 24 | 16 | 700 | Unsafe printing function | ||
| #2681 | Category Featured Images Extended | 40 | 177 | 40 | 400 | Text Domain Mismatch | ||
| #2682 | CleverReach Integration for Contact Form 7 | 40 | 103 | 43 | 700 | Text Domain Mismatch | ||
| #2683 | Contact form 7 TO API + Basic Auth | 40 | 73 | 30 | 1k+ | Non Singular String Literal Domain | ||
| #2684 | Classified Ads | 40 | 136 | 38 | 1k+ | Text Domain Mismatch | ||
| #2685 | Client Portal : SuiteDash Direct Login | 40 | 93 | 17 | 1k+ | Text Domain Mismatch | ||
| #2686 | Conditional WooCommerce Checkout Field | 40 | 84 | 22 | 400 | Unsafe printing function | ||
| #2687 | Contact Form 7 GetResponse Extension | 40 | 88 | 18 | 1k+ | Text Domain Mismatch | ||
| #2688 | Contact Form 7 Multi-Step Forms | 40 | 65 | 40 | 50k+ | Output is not escaped | ||
| #2689 | Database Addon for Contact Form 7 – CFDB7 | 40 | 35 | 56 | 600k+ | Nonce verification recommended | ||
| #2690 | Free Cookie Notice & Consent Banner for Privacy Compliance (GDPR, CCPA, DSGVO and others) | 40 | 39 | 15 | 6k+ | Missing direct file access protection | ||
| #2691 | Copyscape Premium | 40 | 148 | 133 | 800 | SQL query is not prepared | ||
| #2692 | Country State City Dropdown CF7 | 40 | 35 | 54 | 5k+ | Direct Query | ||
| #2693 | Coupon Generator for WooCommerce | 40 | 39 | 28 | 10k+ | Unsafe printing function | ||
| #2694 | Crypto Price Widgets – CryptoWP | 40 | 103 | 43 | 600 | Output is not escaped | ||
| #2695 | Custom Contact Forms | 40 | 13 | 106 | 6k+ | Missing nonce verification | ||
| #2696 | Custom Simple Rss | 40 | 73 | 130 | 2k+ | Nonce verification recommended | ||
| #2697 | Delete Me | 40 | 116 | 17 | 7k+ | Output is not escaped | ||
| #2698 | Duplicate Page | 40 | 39 | 43 | 3m+ | Unsafe printing function | ||
| #2699 | Eventer | 40 | 61 | 55 | 1k+ | Output is not escaped | ||
| #2700 | Payment Gateway of PayPal for WooCommerce | 40 | 44 | 173 | 7k+ | Nonce verification recommended |