WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2951Exclude Pages42311420k+Non Singular String Literal Domain
#2952File Media Renamer4216422k+Input is not sanitized
#2953First payment date for WooCommerce Subscriptions424219400Output is not escaped
#2954Flexible Editor Panel for Elementor421544220k+Text Domain Mismatch
#2955Fusion Page Builder : Extension – Gallery422930600Output is not escaped
#2956Hide Cart Functions4212503k+Nonce verification recommended
#2957Image Uploader for Welcart4227243k+Output is not escaped
#2958WP All Import – Import SEO Settings for Rank Math SEO4218447k+Nonce verification recommended
#2959iOS images fixer4222426k+Nonce verification recommended
#2960iyzico for WooCommerce42345410k+Unsafe printing function
#2961LeadSnap4214841k+Input is not validated
#2962Login No Captcha reCAPTCHA42452460k+Unsafe printing function
#2963Mailster Cool Captcha426528400Text Domain Mismatch
#2964Manage User Columns4215271k+Request data is not unslashed
#2965Message Popup For Contact Form 74230811k+Missing nonce verification
#2966My Upload Images427448400Unsafe printing function
#2967Nav Menu Collapse4217393k+Missing nonce verification
#2968NS Remove Related Products for WooCommerce4295433k+Output is not escaped
#2969OnPay.io for WooCommerce42238371k+Text Domain Mismatch
#2970PageMenu4216291k+Missing nonce verification
#2971PAYDUNYA WOOCOMMERCE PAR425432600Text Domain Mismatch
#2972Post Types Order424543600k+wp function not compatible with requires wp
#2973Posts Like Dislike42157395k+Non Singular String Literal Domain
#2974Product Price History for WooCommerce42101800Nonce verification recommended
#2975PuSHPress42116520k+Missing nonce verification
#2976reCAPTCHA for WooCommerce42803140k+Output is not escaped
#2977Rename wp-admin login4223388k+Output is not escaped
#2978Responsive Mortgage Calculator4238287k+Output is not escaped
#2979SALERT – Fake Sales Notification WooCommerce4241678k+Non-prefixed global variable
#2980Sendcloud Shipping4278565k+Output is not escaped
#2981Simple Meta Tags422813700Output is not escaped
#2982SMTP Mailer42514970k+Unsafe printing function
#2983Starter Sites4262251k+Output is not escaped
#2984Sticky Add To Cart Bar For WooCommerce424654600Output is not escaped
#2985ThemeZee Widget Bundle42211585k+Output is not escaped
#2986Transients Manager42455020k+Output is not escaped
#2987Two Factor421870100k+Nonce verification recommended
#2988Ultimate Category Excluder42222650k+Missing nonce verification
#2989Ultimate Coming Soon Page, Maintenance Mode & Under Construction – Gutenberg Block Builder & Landing Page4215899k+Non-prefixed global variable
#2990UPI QR Code Payment Gateway42179281k+Text Domain Mismatch
#2991Vast Demo Import42180113600Text Domain Mismatch
#2992WC Price History4218214k+Database parameter is not escaped
#2993WC Speed Repair4234741k+Non-prefixed global variable
#2994WebPlanex: GST Invoice India426363400Text Domain Mismatch
#2995Widget Visibility Time Scheduler4270341k+Output is not escaped
#2996Auto Coupons for WooCommerce4281684k+Output is not escaped
#2997WP Bulk Delete427130100k+Direct Query
#2998WP Cron Cleaner425138500Unsafe printing function
#2999WP Media Category Management4291766k+Nonce verification recommended
#3000Advanced All in One Admin Search by WP Spotlight422525900Missing Version