WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2751Risk Free Cash On Delivery (COD) – WooCommerce4010631400Text Domain Mismatch
#2752RPB Chessboard4086981k+Missing direct file access protection
#2753Salat Times4023520500Output is not escaped
#2754Search Live4013271600Output is not escaped
#2755Secondary Title40117317k+Unsafe printing function
#2756Sendy Widget404617700Output is not escaped
#2757Multipage407228900Unsafe printing function
#2758Shortcodes Finder40221884k+Nonce verification recommended
#2759Simple Page Sidebars40556520k+Output is not escaped
#2760Sinatra Core40101158k+Output is not escaped
#2761Specific Content For Mobile – Customize the mobile version without redirections40261554k+Nonce verification recommended
#2762SportsPress for Cricket4012234500Text Domain Mismatch
#2763ST Demo Importer402775700Missing nonce verification
#2764Developer Tools Blocker403547400strip tags strip tags
#2765Theme and plugin translation for Polylang (TTfP)401026210k+Text Domain Mismatch
#2766Multiple Shipping Addresses for WooCommerce (Address Book)40212082k+Non-prefixed global variable
#2767ThemeZee Toolkit40441166k+Nonce verification recommended
#2768Thin Out Revisions409335800Non Singular String Literal Domain
#2769Timed Content4076635k+Unsafe printing function
#2770Track Geolocation Of Users Using Contact Form 74017173900Nonce verification recommended
#2771Ultimate Dashboard – Custom WordPress Dashboard401714460k+Input is not sanitized
#2772Ultimate Member – ForumWP forum integration403173500Nonce verification recommended
#2773Universal Honey Pot4023941k+Missing nonce verification
#2774UsersWP – ReCaptcha4080173k+Text Domain Mismatch
#2775Visma Pay for Woocommerce4027372k+Output is not escaped
#2776Visual Editor Custom Buttons4030484k+Output is not escaped
#2777WooBooster Partial COD for WooCommerce409051500Text Domain Mismatch
#2778Where Did You Hear About Us Checkout Field for WooCommerce4057661k+Output is not escaped
#2779WC Search Orders By Product404766800Nonce verification recommended
#2780Webo-facto401090800Input is not sanitized
#2781Weight Based Pricing for WooCommerce4016786600Text Domain Mismatch
#2782Widget Visibility Without Jetpack4074475k+Text Domain Mismatch
#2783Widgets Control409247800Output is not escaped
#2784Payment Gateway – nexi Alpha Bank for WooCommerce4028451k+Missing nonce verification
#2785WPC Frequently Bought Together for WooCommerce406310910k+Output is not escaped
#2786Preview E-mails for WooCommerce40353730k+Unsafe printing function
#2787NP Quote Request for WooCommerce40911459k+Non-prefixed global variable
#2788yubikey-plugin406433400Text Domain Mismatch
#2789All In One SEO Pack for WooCommerce4057253k+Text Domain Mismatch
#2790Simple Registration for WooCommerce4027554k+Missing nonce verification
#2791WP Compress for MainWP402036700Output is not escaped
#2792Custom CSS/JS405834700Text Domain Mismatch
#2793WP Discord Invite407342400Unsafe printing function
#2794WP Help40495410k+Unsafe printing function
#2795WP Keyword Suggest402941500Non Singular String Literal Domain
#2796WP Meteor Website Speed Optimization Addon40341920k+Output is not escaped
#2797WP Multisite Content Copier/Updater4019144800Interpolated SQL is not prepared
#2798QR code MeCard/vCard generator40322212k+Unsafe printing function
#2799WP Reroute Email401411061k+Output is not escaped
#2800Sentry for WordPress40804010k+Text Domain Mismatch