WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2851 | Insert JavaScript and CSS | 41 | 64 | 19 | 400 | Text Domain Mismatch | ||
| #2852 | Social Sharing Plugin – Kiwi | 41 | 23 | 80 | 4k+ | Non-prefixed global variable | ||
| #2853 | Central Color Palette | 41 | 73 | 33 | 10k+ | Output is not escaped | ||
| #2854 | Lazy Load Optimizer | 41 | 63 | 26 | 3k+ | Unsafe printing function | ||
| #2855 | LH Agree to Terms | 41 | 59 | 32 | 800 | Output is not escaped | ||
| #2856 | Lockdown WP Admin | 41 | 20 | 50 | 10k+ | Request data is not unslashed | ||
| #2857 | Magic Liquidizer Responsive Table | 41 | 114 | 38 | 6k+ | Text Domain Mismatch | ||
| #2858 | Mollie Forms | 41 | 14 | 565 | 3k+ | Request data is not unslashed | ||
| #2859 | MS Custom Login | 41 | 117 | 6 | 900 | Unsafe printing function | ||
| #2860 | My Favorites | 41 | 35 | 34 | 1k+ | Output is not escaped | ||
| #2861 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe printing function | ||
| #2862 | Nepali Date Utilities | 41 | 51 | 15 | 1k+ | date date | ||
| #2863 | Grid Gallery – for Photo Gallery, Image Gallery & Portfolio | 41 | 9 | 74 | 1k+ | Request data is not unslashed | ||
| #2864 | Social Login | 41 | 8 | 110 | 5k+ | Input is not sanitized | ||
| #2865 | Omnibus — show the lowest price | 41 | 35 | 37 | 10k+ | Output is not escaped | ||
| #2866 | Optimus – WordPress Image Optimizer | 41 | 52 | 20 | 30k+ | Unsafe printing function | ||
| #2867 | Passwordless Login | 41 | 40 | 24 | 1k+ | Output is not escaped | ||
| #2868 | Personalize Login | 41 | 47 | 84 | 500 | Nonce verification recommended | ||
| #2869 | Phone Button | 41 | 25 | 203 | 700 | Non-prefixed global variable | ||
| #2870 | Pods – Custom Content Types and Fields | 41 | 5 | 233 | 100k+ | Direct Query | ||
| #2871 | Web Accessibility (formally known as Ally) – WCAG Scanning, Guided Fixes, Usability Widget | 41 | 47 | 38 | 500k+ | Output is not escaped | ||
| #2872 | Smart Post – Post Grid, Post Carousel, Post Slider Gutenberg Blocks for Blog & News | 41 | 537 | 20k+ | Non-prefixed global variable | |||
| #2873 | Posts 2 Posts | 41 | 42 | 73 | 10k+ | Non Singular String Literal Domain | ||
| #2874 | Preload LCP Image | 41 | 110 | 31 | 4k+ | Unsafe printing function | ||
| #2875 | Product Expiry for WooCommerce | 41 | 31 | 85 | 2k+ | Request data is not unslashed | ||
| #2876 | Simple Product Options for WooCommerce | 41 | 62 | 41 | 3k+ | Output is not escaped | ||
| #2877 | Product Questions & Answers for WooCommerce | 41 | 81 | 95 | 400 | Output is not escaped | ||
| #2878 | Variation Swatches for WooCommerce | 41 | 29 | 126 | 9k+ | Missing nonce verification | ||
| #2879 | Quick View WooCommerce | 41 | 80 | 12 | 1k+ | Output is not escaped | ||
| #2880 | Recurring PayPal Donations | 41 | 48 | 47 | 800 | Text Domain Mismatch | ||
| #2881 | Responsive Lightbox | 41 | 68 | 10 | 10k+ | Output is not escaped | ||
| #2882 | Revision Control | 41 | 60 | 28 | 40k+ | Output is not escaped | ||
| #2883 | Revisionize | 41 | 54 | 24 | 4k+ | Output is not escaped | ||
| #2884 | Send link to friend | 41 | 81 | 47 | 400 | Output is not escaped | ||
| #2885 | Service Box | 41 | 150 | 230 | 400 | Missing nonce verification | ||
| #2886 | Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More | 41 | 43 | 61 | 100k+ | Request data is not unslashed | ||
| #2887 | Simple Like Page – Fast & Privacy-Friendly Page Embeds | 41 | 145 | 31 | 10k+ | Output is not escaped | ||
| #2888 | Simple Lightbox | 41 | 21 | 48 | 100k+ | Nonce verification recommended | ||
| #2889 | Simple Restrict | 41 | 34 | 12 | 1k+ | Output is not escaped | ||
| #2890 | SiteSEO – SEO Simplified | 41 | 20 | 110 | 500k+ | Nonce verification recommended | ||
| #2891 | SnapScan Payment Gateway | 41 | 33 | 30 | 700 | Output is not escaped | ||
| #2892 | Squeeze – Image Optimization & Compression, WEBP Conversion | 41 | 20 | 70 | 2k+ | Nonce verification recommended | ||
| #2893 | StifLi Flex MCP – MCP Server with undo for ChatGPT, Claude & Gemini | 41 | 2 | 111 | 1k+ | Interpolated SQL is not prepared | ||
| #2894 | Super Testimonial – Testimonial & Customer Review Slider Plugin for WordPress | 41 | 27 | 168 | 2k+ | Request data is not unslashed | ||
| #2895 | tarteaucitron.io | 41 | 44 | 92 | 10k+ | Output is not escaped | ||
| #2896 | Taxonomy Converter | 41 | 54 | 24 | 500 | Output is not escaped | ||
| #2897 | Taxonomy Filter | 41 | 143 | 40 | 800 | Output is not escaped | ||
| #2898 | Text Hover | 41 | 44 | 13 | 1k+ | Output is not escaped | ||
| #2899 | Text Replace | 41 | 55 | 12 | 3k+ | Output is not escaped | ||
| #2900 | Feedback Company | 41 | 63 | 36 | 800 | Output is not escaped |