WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2651404 Notifier403941700Output is not escaped
#2652AccessibleWP – ALT Detector405514500Text Domain Mismatch
#2653ACF to Custom Database Tables403664600Nonce verification recommended
#2654Add Pinterest conversion tags for Pinterest Ads + Site verification4088261k+Output is not escaped
#2655Subscribe Button by AddToAny409347900Output is not escaped
#2656Advanced Admin Search407948600Non Singular String Literal Text
#2657Advanced Country Blocker4023772k+Exception output is not escaped
#2658Advanced Custom Fields: Font Awesome Field403327090k+Text Domain Mismatch
#2659Advanced WooCommerce Product Gallery Slider4042483k+Non-prefixed global variable
#2660AgreeMe Checkboxes For WooCommerce408844600Text Domain Mismatch
#2661Allow Multiple Accounts40115199k+Non Singular String Literal Domain
#2662Alt Magic: AI Image Alt Text Generator for WP & Image Rename40551181k+Direct Query
#2663amCharts: Charts and Maps402631132k+Text Domain Mismatch
#2664Analytics Cat – Google Analytics Made Easy4083276k+Text Domain Mismatch
#2665Athemes Toolbox40254583k+Text Domain Mismatch
#2666Autocomplete LearnDash Lessons and Topics4046161k+Missing Arg Domain
#2667Mastodon Autopost404150800Output is not escaped
#2668AxiaChat AI – Free AI Chatbot (Answers Customers Automatically)4021352k+Interpolated SQL is not prepared
#2669Back To The Top Button40312714k+Non-prefixed global variable
#2670Bangladeshi Payment Gateways – Make Payment Using QR Code4040365k+Output is not escaped
#2671Basic Interactive World Map4094541k+Text Domain Mismatch
#2672Better Internal Link Search4023481k+strip tags strip tags
#2673BH Custom CSS3 Preloader – Just play and play4043926900Text Domain Mismatch
#2674Billingo Official for WooCommerce4026373k+Output is not escaped
#2675Black Studio TinyMCE Widget403928200k+Output is not escaped
#2676Bubble Menu – Floating Button Menu with Sticky Navigation4022161k+Nonce verification recommended
#2677Bulk Featured Image4069117800Output is not escaped
#2678Bulk Move4085449k+Unsafe printing function
#2679Buy one Get one Free – BOGO discount rule maker for WooCommerce4011957400Text Domain Mismatch
#2680Custom Cart Link for WooCommerce402416700Unsafe printing function
#2681Category Featured Images Extended4017740400Text Domain Mismatch
#2682CleverReach Integration for Contact Form 74010343700Text Domain Mismatch
#2683Contact form 7 TO API + Basic Auth4073301k+Non Singular String Literal Domain
#2684Classified Ads40136381k+Text Domain Mismatch
#2685Client Portal : SuiteDash Direct Login4093171k+Text Domain Mismatch
#2686Conditional WooCommerce Checkout Field408422400Unsafe printing function
#2687Contact Form 7 GetResponse Extension4088181k+Text Domain Mismatch
#2688Contact Form 7 Multi-Step Forms40654050k+Output is not escaped
#2689Database Addon for Contact Form 7 – CFDB7403556600k+Nonce verification recommended
#2690Free Cookie Notice & Consent Banner for Privacy Compliance (GDPR, CCPA, DSGVO and others)4039156k+Missing direct file access protection
#2691Copyscape Premium40148133800SQL query is not prepared
#2692Country State City Dropdown CF74035545k+Direct Query
#2693Coupon Generator for WooCommerce40392810k+Unsafe printing function
#2694Crypto Price Widgets – CryptoWP4010343600Output is not escaped
#2695Custom Contact Forms40131066k+Missing nonce verification
#2696Custom Simple Rss40731302k+Nonce verification recommended
#2697Delete Me40116177k+Output is not escaped
#2698Duplicate Page4039433m+Unsafe printing function
#2699Eventer4061551k+Output is not escaped
#2700Payment Gateway of PayPal for WooCommerce40441737k+Nonce verification recommended