WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3001 | Advanced All in One Admin Search by WP Spotlight | 42 | 25 | 25 | 900 | Missing Version | ||
| #3002 | WPB Custom Tab Manager for WooCommerce – Add, Edit & Reorder Tabs | 42 | 95 | 32 | 500 | Output is not escaped | ||
| #3003 | WPTerm | 42 | 61 | 89 | 3k+ | Output is not escaped | ||
| #3004 | Yandex.Metrika | 42 | 15 | 20 | 900 | Unsafe printing function | ||
| #3005 | Admin Custom Login | 43 | 238 | 20k+ | Request data is not unslashed | |||
| #3006 | Advanced FAQ Manager | 43 | 8 | 59 | 2k+ | Input is not sanitized | ||
| #3007 | AdWords Conversion Tracking Code | 43 | 26 | 25 | 1k+ | Non Singular String Literal Domain | ||
| #3008 | Anti-spam Reloaded | 43 | 19 | 19 | 2k+ | Output is not escaped | ||
| #3009 | Category Editor | 43 | 54 | 18 | 8k+ | Unsafe printing function | ||
| #3010 | Comment Reply Email Notification | 43 | 44 | 19 | 3k+ | Output is not escaped | ||
| #3011 | Custom Menu | 43 | 83 | 11 | 400 | wp function not compatible with requires wp | ||
| #3012 | Customize Snapshots | 43 | 9 | 42 | 500 | Nonce verification recommended | ||
| #3013 | Database Addon For WPForms ( wpforms entries ) – WPFormsDB | 43 | 17 | 53 | 20k+ | Nonce verification recommended | ||
| #3014 | Directorist – WPML Integration | 43 | 10 | 134 | 400 | Non-prefixed hook name | ||
| #3015 | Disable Gutenberg | 43 | 23 | 47 | 500k+ | Nonce verification recommended | ||
| #3016 | Floating Awesome Button (Sticky Button, Popup, Toast) & 200+ Website Custom Interactive Element | 43 | 66 | 109 | 800 | Missing direct file access protection | ||
| #3017 | GD bbPress Tools | 43 | 15 | 61 | 1k+ | Input is not sanitized | ||
| #3018 | Per User Prompt for Google Authenticator | 43 | 8 | 52 | 400 | Nonce verification recommended | ||
| #3019 | Insert Blocks Before or After Posts Content | 43 | 42 | 15 | 1k+ | Output is not escaped | ||
| #3020 | Logo Slider WP – Responsive Logo Carousel, Logo Gallery & Logo Showcase | 43 | 22 | 255 | 10k+ | Non-prefixed global variable | ||
| #3021 | MembershipWorks Login Connector | 43 | 28 | 81 | 800 | Request data is not unslashed | ||
| #3022 | Lightbox | 43 | 29 | 10 | 700 | Unsafe printing function | ||
| #3023 | Opal Woo Custom Product Variation | 43 | 1 | 116 | 400 | Non-prefixed global variable | ||
| #3024 | Pods Gravity Forms Add-On | 43 | 79 | 1k+ | Missing nonce verification | |||
| #3025 | Purchase Orders for WooCommerce | 43 | 117 | 74 | 1k+ | Text Domain Mismatch | ||
| #3026 | Qodax Checkout Manager – Checkout Field Editor for WooCommerce | 43 | 17 | 27 | 400 | Interpolated SQL is not prepared | ||
| #3027 | reCAPTCHA for MW WP Form | 43 | 37 | 14 | 30k+ | Non Singular String Literal Domain | ||
| #3028 | Reoon Email Verifier | 43 | 22 | 38 | 600 | Missing nonce verification | ||
| #3029 | Rut Chileno con Validación para WooCommerce | 43 | 35 | 16 | 1k+ | Text Domain Mismatch | ||
| #3030 | Secure Passkeys | 43 | 145 | 83 | 1k+ | Exception output is not escaped | ||
| #3031 | Term Management Tools | 43 | 9 | 26 | 10k+ | Non-prefixed hook name | ||
| #3032 | Theme Test Drive | 43 | 39 | 16 | 7k+ | Output is not escaped | ||
| #3033 | Uber reCaptcha | 43 | 129 | 45 | 1k+ | Text Domain Mismatch | ||
| #3034 | UPI QR Code Payment Gateway for WooCommerce | 43 | 42 | 28 | 20k+ | Output is not escaped | ||
| #3035 | User role based shipping methods | 43 | 53 | 7 | 400 | Output is not escaped | ||
| #3036 | User Role Editor | 43 | 117 | 145 | 700k+ | Output is not escaped | ||
| #3037 | utm.codes | 43 | 34 | 33 | 400 | Missing nonce verification | ||
| #3038 | VA Simple Expires | 43 | 25 | 31 | 800 | Output is not escaped | ||
| #3039 | WP Extra File Types | 43 | 11 | 26 | 40k+ | Request data is not unslashed | ||
| #3040 | WP Hotel Booking Stripe Payment | 43 | 34 | 29 | 400 | Text Domain Mismatch | ||
| #3041 | WP Hotel Booking WPML Support | 43 | 10 | 52 | 400 | Direct Query | ||
| #3042 | WP Post Expires | 43 | 21 | 15 | 2k+ | Output is not escaped | ||
| #3043 | WPC Countdown Timer for WooCommerce | 43 | 52 | 36 | 1k+ | Output is not escaped | ||
| #3044 | Active Campaign & Contact Form 7 | 43 | 40 | 27 | 3k+ | Output is not escaped | ||
| #3045 | Advanced Custom Fields: oEmbed Field | 44 | 36 | 13 | 1k+ | Text Domain Mismatch | ||
| #3046 | Advanced Dynamic Pricing and Discount Rules for WooCommerce | 44 | 2 | 813 | 20k+ | Non-prefixed namespace | ||
| #3047 | BBQ Firewall – Fast & Powerful Firewall Security | 44 | 17 | 17 | 100k+ | Output is not escaped | ||
| #3048 | Despacho vía Starken Pro para WooCommerce | 44 | 175 | 60 | 400 | Text Domain Mismatch | ||
| #3049 | Comment Image | 44 | 19 | 23 | 1k+ | Output is not escaped | ||
| #3050 | Currency Converter Widget | 44 | 37 | 6 | 3k+ | Unsafe printing function |