WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2751 | Risk Free Cash On Delivery (COD) – WooCommerce | 40 | 106 | 31 | 400 | Text Domain Mismatch | ||
| #2752 | RPB Chessboard | 40 | 86 | 98 | 1k+ | Missing direct file access protection | ||
| #2753 | Salat Times | 40 | 235 | 20 | 500 | Output is not escaped | ||
| #2754 | Search Live | 40 | 132 | 71 | 600 | Output is not escaped | ||
| #2755 | Secondary Title | 40 | 117 | 31 | 7k+ | Unsafe printing function | ||
| #2756 | Sendy Widget | 40 | 46 | 17 | 700 | Output is not escaped | ||
| #2757 | Multipage | 40 | 72 | 28 | 900 | Unsafe printing function | ||
| #2758 | Shortcodes Finder | 40 | 22 | 188 | 4k+ | Nonce verification recommended | ||
| #2759 | Simple Page Sidebars | 40 | 55 | 65 | 20k+ | Output is not escaped | ||
| #2760 | Sinatra Core | 40 | 101 | 15 | 8k+ | Output is not escaped | ||
| #2761 | Specific Content For Mobile – Customize the mobile version without redirections | 40 | 26 | 155 | 4k+ | Nonce verification recommended | ||
| #2762 | SportsPress for Cricket | 40 | 122 | 34 | 500 | Text Domain Mismatch | ||
| #2763 | ST Demo Importer | 40 | 27 | 75 | 700 | Missing nonce verification | ||
| #2764 | Developer Tools Blocker | 40 | 35 | 47 | 400 | strip tags strip tags | ||
| #2765 | Theme and plugin translation for Polylang (TTfP) | 40 | 102 | 62 | 10k+ | Text Domain Mismatch | ||
| #2766 | Multiple Shipping Addresses for WooCommerce (Address Book) | 40 | 21 | 208 | 2k+ | Non-prefixed global variable | ||
| #2767 | ThemeZee Toolkit | 40 | 44 | 116 | 6k+ | Nonce verification recommended | ||
| #2768 | Thin Out Revisions | 40 | 93 | 35 | 800 | Non Singular String Literal Domain | ||
| #2769 | Timed Content | 40 | 76 | 63 | 5k+ | Unsafe printing function | ||
| #2770 | Track Geolocation Of Users Using Contact Form 7 | 40 | 17 | 173 | 900 | Nonce verification recommended | ||
| #2771 | Ultimate Dashboard – Custom WordPress Dashboard | 40 | 17 | 144 | 60k+ | Input is not sanitized | ||
| #2772 | Ultimate Member – ForumWP forum integration | 40 | 31 | 73 | 500 | Nonce verification recommended | ||
| #2773 | Universal Honey Pot | 40 | 23 | 94 | 1k+ | Missing nonce verification | ||
| #2774 | UsersWP – ReCaptcha | 40 | 80 | 17 | 3k+ | Text Domain Mismatch | ||
| #2775 | Visma Pay for Woocommerce | 40 | 27 | 37 | 2k+ | Output is not escaped | ||
| #2776 | Visual Editor Custom Buttons | 40 | 30 | 48 | 4k+ | Output is not escaped | ||
| #2777 | WooBooster Partial COD for WooCommerce | 40 | 90 | 51 | 500 | Text Domain Mismatch | ||
| #2778 | Where Did You Hear About Us Checkout Field for WooCommerce | 40 | 57 | 66 | 1k+ | Output is not escaped | ||
| #2779 | WC Search Orders By Product | 40 | 47 | 66 | 800 | Nonce verification recommended | ||
| #2780 | Webo-facto | 40 | 10 | 90 | 800 | Input is not sanitized | ||
| #2781 | Weight Based Pricing for WooCommerce | 40 | 167 | 86 | 600 | Text Domain Mismatch | ||
| #2782 | Widget Visibility Without Jetpack | 40 | 74 | 47 | 5k+ | Text Domain Mismatch | ||
| #2783 | Widgets Control | 40 | 92 | 47 | 800 | Output is not escaped | ||
| #2784 | Payment Gateway – nexi Alpha Bank for WooCommerce | 40 | 28 | 45 | 1k+ | Missing nonce verification | ||
| #2785 | WPC Frequently Bought Together for WooCommerce | 40 | 63 | 109 | 10k+ | Output is not escaped | ||
| #2786 | Preview E-mails for WooCommerce | 40 | 35 | 37 | 30k+ | Unsafe printing function | ||
| #2787 | NP Quote Request for WooCommerce | 40 | 91 | 145 | 9k+ | Non-prefixed global variable | ||
| #2788 | yubikey-plugin | 40 | 64 | 33 | 400 | Text Domain Mismatch | ||
| #2789 | All In One SEO Pack for WooCommerce | 40 | 57 | 25 | 3k+ | Text Domain Mismatch | ||
| #2790 | Simple Registration for WooCommerce | 40 | 27 | 55 | 4k+ | Missing nonce verification | ||
| #2791 | WP Compress for MainWP | 40 | 20 | 36 | 700 | Output is not escaped | ||
| #2792 | Custom CSS/JS | 40 | 58 | 34 | 700 | Text Domain Mismatch | ||
| #2793 | WP Discord Invite | 40 | 73 | 42 | 400 | Unsafe printing function | ||
| #2794 | WP Help | 40 | 49 | 54 | 10k+ | Unsafe printing function | ||
| #2795 | WP Keyword Suggest | 40 | 29 | 41 | 500 | Non Singular String Literal Domain | ||
| #2796 | WP Meteor Website Speed Optimization Addon | 40 | 34 | 19 | 20k+ | Output is not escaped | ||
| #2797 | WP Multisite Content Copier/Updater | 40 | 19 | 144 | 800 | Interpolated SQL is not prepared | ||
| #2798 | QR code MeCard/vCard generator | 40 | 322 | 21 | 2k+ | Unsafe printing function | ||
| #2799 | WP Reroute Email | 40 | 141 | 106 | 1k+ | Output is not escaped | ||
| #2800 | Sentry for WordPress | 40 | 80 | 40 | 10k+ | Text Domain Mismatch |