WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#251Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links221,0441,79720k+Non-prefixed global variable
#252UpStream: a Project Management Plugin for WordPress22683703600Non-prefixed global variable
#253URL Shortify – Simple and Easy URL Shortener221,5202,68910k+Non-prefixed global variable
#254Welcart e-Commerce2210,37810,93110k+Text Domain Mismatch
#255Walker Core221,3511,436800Non-prefixed global variable
#256WCFM – Frontend Manager for WooCommerce224,7545,05420k+Non-prefixed global variable
#257WCFM Marketplace – Multivendor Marketplace for WooCommerce221,9341,96610k+Non-prefixed global variable
#258WCFM Membership – WooCommerce Memberships for Multivendor Marketplace2255967510k+Non-prefixed global variable
#259Wenprise WeChatPay Payment Gateway For WooCommerce22443178400Exception output is not escaped
#260WooCommerce221,3596,1727m+Non-prefixed global variable
#261Advanced AJAX Product Filters222,6831,20550k+Text Domain Mismatch
#262CoDesigner – All in One Elementor WooCommerce Builder224,1317745k+Text Domain Mismatch
#263Simple Shopping Cart2279653610k+Unsafe printing function
#264ManageWP Worker225075651m+Non-prefixed class
#265WP Affiliate Disclosure221,3581,5041k+Non-prefixed global variable
#266Asset CleanUp: Page Speed Booster222,0302,485100k+Non-prefixed global variable
#267Master Accordion ( Former WP Awesome FAQ Plugin )221,7741,286700Non-prefixed global variable
#268WP Express Checkout (Fast Payments via PayPal & Stripe)225916271k+Output is not escaped
#269File Manager227405201m+Unsafe printing function
#270WP Fusion Lite – Marketing Automation and CRM Integration for WordPress222756835k+Nonce verification recommended
#271WP Umbrella: Update Backup Restore & Monitoring2291891670k+Exception output is not escaped
#272SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher2230724510k+Output is not escaped
#273AidWP – Donation & Payment Forms (Stripe Powered)221,3171,675800Non-prefixed global variable
#274WP Super Minify • Minify, Compress and Cache HTML, CSS & JavaScript221642579k+Non-prefixed constant
#275User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership & User Registration222871,43220k+Non-prefixed global variable
#276WP-WebAuthn229573962k+Exception output is not escaped
#277WPBITS Addons For Elementor Page Builder229961,3992k+Non-prefixed global variable
#278WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell225,9962,7905k+Text Domain Mismatch
#279WPSSO Core – Complete Schema Markup and Meta Tags221,4074125k+Missing Translators Comment
#280WUPO Group Attributes for WooCommerce225921,391400Non-prefixed global variable
#281YaySMTP – WP Mail SMTP with Email Logs, Tracking & Reports2265443510k+Exception output is not escaped
#282ЮKassa для WooCommerce225901689k+Short PHP open tag found
#283Recipe Cards For Your Food Blog from Zip Recipes221,1261,7311k+Non-prefixed global variable
#284Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce231,1851,0271k+Text Domain Mismatch
#285Advanced Custom Fields: Extended231,885329100k+Text Domain Mismatch
#286Custom WooCommerce Checkout Fields Editor237551,3862k+Non-prefixed global variable
#287Admin and Site Enhancements (ASE)23136330200k+Nonce verification recommended
#288Advanced Custom Fields (ACF®)232,4561,2182m+Text Domain Mismatch
#289Advanced Product Labels for WooCommerce2392155920k+Text Domain Mismatch
#290AI Engine – The Chatbot, AI Framework & MCP for WordPress23412539100k+error log error log
#291Affiliate Super Assistent231,2802672k+Text Domain Mismatch
#292AR for WordPress23151499400Non-prefixed global variable
#293Autoptimize23288191800k+Output is not escaped
#294B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More231,34740910k+Text Domain Mismatch
#295BA Book Everything231,1841,08610k+Output is not escaped
#296Kadence Security – Password, Two Factor Authentication, and Brute Force Protection231,053967700k+Missing Translators Comment
#297BlossomThemes Email Newsletter2333723920k+Output is not escaped
#298Booking calendar, Appointment Booking System231,0791,1254k+Output is not escaped
#299BSK PDF Manager231,5766257k+Text Domain Mismatch
#300BuddyDrive237221,5971k+Non-prefixed global variable