WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3001Advanced All in One Admin Search by WP Spotlight422525900Missing Version
#3002WPB Custom Tab Manager for WooCommerce – Add, Edit & Reorder Tabs429532500Output is not escaped
#3003WPTerm4261893k+Output is not escaped
#3004Yandex.Metrika421520900Unsafe printing function
#3005Admin Custom Login4323820k+Request data is not unslashed
#3006Advanced FAQ Manager438592k+Input is not sanitized
#3007AdWords Conversion Tracking Code4326251k+Non Singular String Literal Domain
#3008Anti-spam Reloaded4319192k+Output is not escaped
#3009Category Editor4354188k+Unsafe printing function
#3010Comment Reply Email Notification4344193k+Output is not escaped
#3011Custom Menu438311400wp function not compatible with requires wp
#3012Customize Snapshots43942500Nonce verification recommended
#3013Database Addon For WPForms ( wpforms entries ) – WPFormsDB43175320k+Nonce verification recommended
#3014Directorist – WPML Integration4310134400Non-prefixed hook name
#3015Disable Gutenberg432347500k+Nonce verification recommended
#3016Floating Awesome Button (Sticky Button, Popup, Toast) & 200+ Website Custom Interactive Element4366109800Missing direct file access protection
#3017GD bbPress Tools4315611k+Input is not sanitized
#3018Per User Prompt for Google Authenticator43852400Nonce verification recommended
#3019Insert Blocks Before or After Posts Content4342151k+Output is not escaped
#3020Logo Slider WP – Responsive Logo Carousel, Logo Gallery & Logo Showcase432225510k+Non-prefixed global variable
#3021MembershipWorks Login Connector432881800Request data is not unslashed
#3022Lightbox432910700Unsafe printing function
#3023Opal Woo Custom Product Variation431116400Non-prefixed global variable
#3024Pods Gravity Forms Add-On43791k+Missing nonce verification
#3025Purchase Orders for WooCommerce43117741k+Text Domain Mismatch
#3026Qodax Checkout Manager – Checkout Field Editor for WooCommerce431727400Interpolated SQL is not prepared
#3027reCAPTCHA for MW WP Form43371430k+Non Singular String Literal Domain
#3028Reoon Email Verifier432238600Missing nonce verification
#3029Rut Chileno con Validación para WooCommerce4335161k+Text Domain Mismatch
#3030Secure Passkeys43145831k+Exception output is not escaped
#3031Term Management Tools4392610k+Non-prefixed hook name
#3032Theme Test Drive4339167k+Output is not escaped
#3033Uber reCaptcha43129451k+Text Domain Mismatch
#3034UPI QR Code Payment Gateway for WooCommerce43422820k+Output is not escaped
#3035User role based shipping methods43537400Output is not escaped
#3036User Role Editor43117145700k+Output is not escaped
#3037utm.codes433433400Missing nonce verification
#3038VA Simple Expires432531800Output is not escaped
#3039WP Extra File Types43112640k+Request data is not unslashed
#3040WP Hotel Booking Stripe Payment433429400Text Domain Mismatch
#3041WP Hotel Booking WPML Support431052400Direct Query
#3042WP Post Expires4321152k+Output is not escaped
#3043WPC Countdown Timer for WooCommerce4352361k+Output is not escaped
#3044Active Campaign & Contact Form 74340273k+Output is not escaped
#3045Advanced Custom Fields: oEmbed Field4436131k+Text Domain Mismatch
#3046Advanced Dynamic Pricing and Discount Rules for WooCommerce44281320k+Non-prefixed namespace
#3047BBQ Firewall – Fast & Powerful Firewall Security441717100k+Output is not escaped
#3048Despacho vía Starken Pro para WooCommerce4417560400Text Domain Mismatch
#3049Comment Image4419231k+Output is not escaped
#3050Currency Converter Widget443763k+Unsafe printing function