WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2901Theme Blvd Importer412558500Missing nonce verification
#2902Threat Scan Plugin412917400Output is not escaped
#2903Advanced Editor Tools41143841m+Unsafe printing function
#2904Unbloater4157185k+Output is not escaped
#2905Checkout Field Editor (Checkout Manager) for WooCommerce41988400k+Nonce verification recommended
#2906Advanced Custom Stock Status4184339k+Output is not escaped
#2907WPC Product Bundles for WooCommerce41219330k+Missing nonce verification
#2908Country Based Restrictions for WooCommerce4127675k+Request data is not unslashed
#2909Quick View For WooCommerce4144441k+Output is not escaped
#2910Pay for Payment for WooCommerce41296710k+Missing nonce verification
#2911Spam Protect for Contact Form 741166110k+Request data is not unslashed
#2912WP Extended Search411593720k+Output is not escaped
#2913Pledged Plugins PCI Gateway for NMI and WooCommerce41160422k+Text Domain Mismatch
#2914WP Permalink Translator4134212k+Unsafe printing function
#2915WPC Composite Products for WooCommerce4111739k+Missing nonce verification
#2916WPS Hide Login4134722m+Nonce verification recommended
#2917Export WooCommerce Orders, Products, Customers & Coupons to Google Sheets414535700Output is not escaped
#2918Simple Accessibility Button4133171900Non-prefixed global variable
#2919Z-Credit Checkout – WooCommerce Payment Gateway4115122900Text Domain Mismatch
#2920Pricing Table – Responsive & Easy421171483k+Non-prefixed global variable
#2921ActiveTrail – Contact Form 7421885600Missing nonce verification
#2922Admin Options Pages423284500Nonce verification recommended
#2923Agoda Affiliate Partners Text Link Generator42440500Interpolated SQL is not prepared
#2924Automatic NBSP4224163k+Output is not escaped
#2925AweSplash – Just Splash Page423934400Output is not escaped
#2926多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条4217382k+Input is not sanitized
#2927Bazz CallBack widget4255283k+Unsafe printing function
#2928Block Temporary Email423313500Unsafe printing function
#2929Booking.com Official Search Box4236322k+Output is not escaped
#2930BP Auto Group Join425555700Output is not escaped
#2931CCAvenue Payment Gateway for WooCommerce4253403k+Text Domain Mismatch
#2932HTML Template for CF74221271k+Non-prefixed global variable
#2933Change Background Color for Pages, Posts, Widgets42357500Text Domain Mismatch
#2934Cities Shipping Zones for WooCommerce4294444k+Text Domain Mismatch
#2935Clover Payments for WooCommerce4225152k+Exception output is not escaped
#2936Comment Reply Email422123500Unsafe printing function
#2937Contact Form 7 add confirm42315150k+Text Domain Mismatch
#2938Cookie Notify421554400Input is not validated
#2939CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance)4233493k+Output is not escaped
#2940Cronjob Scheduler4220361k+Input is not sanitized
#2941Custom Admin Page by BestWebSoft – Configurable WordPress Dashboard Pages Plugin42472181400Text Domain Mismatch
#2942Custom Taxonomy Order42205650k+Output is not escaped
#2943CWW connector Lite – Connect Contact Form 7 & ActiveCampaign423921400Output is not escaped
#2944Dashboard Notes422734600Missing Arg Domain
#2945Dashboard Sticky Notes4220172k+Missing nonce verification
#2946Disable User Login4225195k+Unsafe printing function
#2947Storefront Online Ordering by DoorDash427610600Output is not escaped
#2948Easy Demo Import for Omega Themes423341400Output is not escaped
#2949Exclude Pages42311420k+Non Singular String Literal Domain
#2950File Media Renamer4216422k+Input is not sanitized