WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2801Add-on Contact Form 7 – MailPoet 34188123k+Output is not escaped
#2802Add Chat App Button4182122k+Output is not escaped
#2803Advance Bank Payment Transfer Gateway41105621k+Text Domain Mismatch
#2804Advanced Excerpt41694370k+Unsafe printing function
#2805AffiliateWP – Affiliate Product Rates4184241k+Output is not escaped
#2806Age Verify4129311k+Output is not escaped
#2807AH Display Widgets4152168k+Text Domain Mismatch
#2808Amazon Web Services4153215k+Missing Translators Comment
#2809Antispam411141400Missing nonce verification
#2810Authenticator4159441k+Output is not escaped
#2811Avatar Manager4129415k+Unsafe printing function
#2812Beam me up Scotty – Back to Top Button4171381k+Output is not escaped
#2813Beautiful Cookie Consent Banner41337640k+Non-prefixed global variable
#2814BuddyPress Xprofile Custom Field Types41391894k+Missing nonce verification
#2815Bulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO)4116371k+Missing nonce verification
#2816Cache control by Cacholong418730500Non Singular String Literal Domain
#2817Carbon Copy4164893k+Text Domain Mismatch
#2818Categorized Tag Cloud4144171k+Output is not escaped
#2819Conditional Fields for Contact Form 74110653100k+Output is not escaped
#2820CF7 Invisible reCAPTCHA4119527k+Request data is not unslashed
#2821clickskeks.at Cookiebanner412118500Unsafe printing function
#2822CMS Tree Page View – Reorder Pages with a Drag-and-Drop Tree411219650k+Unsafe printing function
#2823CoinPayments.net Payment Gateway for WooCommerce4151321k+Text Domain Mismatch
#2824Contact Form 7 Captcha41775100k+Request data is not unslashed
#2825Content Widget41729400Output is not escaped
#2826Contribuinte Checkout4130301k+Output is not escaped
#2827Controlled Admin Access41224010k+Nonce verification recommended
#2828Custom Meta412329700Output is not escaped
#2829Custom Post Type Cleanup4170121k+Output is not escaped
#2830Dashboard Notepad41293410k+Missing nonce verification
#2831Developer Loggers for Simple History414628400Text Domain Mismatch
#2832DevVN Local Store4184281k+Unsafe printing function
#2833Dinamize414165500Output is not escaped
#2834DigitalOcean Spaces Sync41808500Text Domain Mismatch
#2835DSGVO Youtube4148291k+Unsafe printing function
#2836Easy Random Quotes414214500Output is not escaped
#2837Email Address Encoder411098100k+wp function not compatible with requires wp
#2838Essential Form – The lightest plugin for contact forms, ultra lightweight and no spam412153500Missing nonce verification
#2839Payment Gateway of PayPal for WooCommerce41441847k+Nonce verification recommended
#2840Extra User Details4184151k+Non Singular String Literal Domain
#2841Fast Chat Button41241881k+Non-prefixed global variable
#2842Featured Image Generator4131161k+Output is not escaped
#2843Flexible Posts Widget41136338k+Output is not escaped
#2844Google Authenticator41396520k+Output is not escaped
#2845(Simply) Guest Author Name4135362k+Output is not escaped
#2846Hide WP Admin Login412339500Nonce verification recommended
#2847Image Editor by Pixo4112068800Output is not escaped
#2848Import external attachments4118262k+Output is not escaped
#2849Infinite Ajax Scrolling Lite For Woocommerce413328500Output is not escaped
#2850Inpost Paczkomaty4135688k+Text Domain Mismatch