WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2701Fast User Switching4028282k+Output is not escaped
#2702Featured Post403618900Output is not escaped
#2703FluentComments – Spam protection, AntiSpam, Ajax Enhanced Comments405047700Non-prefixed global variable
#2704Flying Scripts: Delay JavaScript to Improve Site Speed & Performance40234430k+Missing direct file access protection
#2705FlyWP Helper – Page Cache, Page Optimization, Emails for FlyWP Server Control Panel4020814k+Non-prefixed global variable
#2706Fusion Page Builder40341003k+Input is not validated
#2707Analytics Germanized for Google Analytics (GDPR / DSGVO)4049148k+Output is not escaped
#2708Osom Author Pro4083221k+Output is not escaped
#2709Get Cash408449500Non Singular String Literal Domain
#2710GetPaid > Item Inventory4011252400Text Domain Mismatch
#2711Gravity Forms Data Persistence Add-On Reloaded401438700Input is not sanitized
#2712Header Promo – Show Top Bar Message or Call to Action4047245400Output is not escaped
#2713WP Armour – Honeypot Anti Spam405566400k+Missing nonce verification
#2714Hostinger Reach – AI-Powered Email Marketing for WordPress409461m+Direct Query
#2715iNext Woo Pincode Checker403682700Missing nonce verification
#2716Correios Automático – Rastreio, Frete, Etiqueta, Declaração e Devolução4032564k+Non-prefixed global variable
#2717Interactive US Map4013654400Text Domain Mismatch
#2718Quotes Addon for GetPaid4019121700Text Domain Mismatch
#2719JSM Show Order Metadata for WooCommerce HPOS401764700Nonce verification recommended
#2720JSM Show Post Metadata40156610k+Nonce verification recommended
#2721JSM Show Term Metadata401464900Nonce verification recommended
#2722JSM Show User Metadata4014643k+Nonce verification recommended
#2723La Sentinelle antispam4088463k+Output is not escaped
#2724Limit Login Attempts408138300k+Output is not escaped
#2725LJ Multi Column Archive4017251k+Output is not escaped
#2726Loan Comparison4027192400Request data is not unslashed
#2727MailerSend – Official SMTP Integration4039252k+Unsafe printing function
#2728Manual Image Crop40178618k+Output is not escaped
#2729MAS Company Reviews For WP Job Manager4044711k+Output is not escaped
#2730Mobile Contact Line40393551k+Non-prefixed global variable
#2731Modal Window – create popup modal window40417010k+Non-prefixed global variable
#2732Multiple Featured Images4050225k+Output is not escaped
#2733My Social Feeds – Social Feeds Embedder Plugin for WP40877400Request data is not unslashed
#2734Flying Images: Optimize and Lazy Load Images for Faster Page Speed4032583k+Missing direct file access protection
#2735No-Bot Registration40112422k+Unsafe printing function
#2736No CAPTCHA reCAPTCHA40112264k+Text Domain Mismatch
#2737One Click SSL401366210k+Unsafe printing function
#2738OPML Importer4035133k+Output is not escaped
#2739Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels40682493k+Missing nonce verification
#2740Plugin Load Filter40761127k+Text Domain Mismatch
#2741Popup addon for Ninja Forms40121251k+Output is not escaped
#2742Post Ratings4016032600Output is not escaped
#2743Private Google Calendars40227371k+Output is not escaped
#2744Privilege Widget4013952600Text Domain Mismatch
#2745Product Video Gallery for Woocommerce40613610k+Setting is missing a sanitization callback
#2746Quiz Cat – WordPress Quiz Plugin40151694k+Output is not escaped
#2747Random Banner40591251k+Output is not escaped
#2748Rename default post Labels405436600Text Domain Mismatch
#2749Responsive Full Width Background Slider40131222k+Unsafe printing function
#2750Responsive Gallery Grid4090144k+Output is not escaped