WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3151 | Add LinkedIn Insight Tag for LinkedIn Ads | 49 | 126 | 23 | 5k+ | Non Singular String Literal Domain | ||
| #3152 | Logo Carousel Slider | 49 | 102 | 14 | 6k+ | Non Singular String Literal Domain | ||
| #3153 | Registered Users Only | 49 | 14 | 14 | 2k+ | Unsafe printing function | ||
| #3154 | Secondary Product Image for WooCommerce | 49 | 25 | 29 | 2k+ | Output is not escaped | ||
| #3155 | SKT Themes Demo Import | 49 | 218 | 104 | 4k+ | Text Domain Mismatch | ||
| #3156 | Songkick Concerts and Festivals | 49 | 9 | 48 | 500 | Input is not sanitized | ||
| #3157 | Taxonomy Images | 49 | 38 | 50 | 9k+ | Output is not escaped | ||
| #3158 | Gateway for Wise on WooCommerce | 49 | 28 | 30 | 1k+ | Output is not escaped | ||
| #3159 | Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit | 49 | 5 | 145 | 1k+ | Missing nonce verification | ||
| #3160 | WooBuilder | 49 | 20 | 17 | 700 | Output is not escaped | ||
| #3161 | Product Slider, Product Grid, Product Masonry | 49 | 55 | 144 | 10k+ | wp function not compatible with requires wp | ||
| #3162 | WP User Groups | 49 | 44 | 32 | 600 | Missing Translators Comment | ||
| #3163 | BuddyPress Groups Extras | 50 | 30 | 51 | 400 | Missing direct file access protection | ||
| #3164 | Block IPs for Gravity Forms | 50 | 8 | 36 | 1k+ | Request data is not unslashed | ||
| #3165 | IMGspider – 图片采集抓取插件 | 50 | 12 | 49 | 2k+ | Missing nonce verification | ||
| #3166 | Mailster Gravity Forms | 50 | 46 | 32 | 800 | Text Domain Mismatch | ||
| #3167 | PostmagThemes Demo Import | 50 | 191 | 114 | 1k+ | Text Domain Mismatch | ||
| #3168 | Product Open Pricing (Name Your Price) for WooCommerce | 50 | 105 | 37 | 6k+ | Text Domain Mismatch | ||
| #3169 | 📷 Simple QR Code Generator Widget | 50 | 21 | 14 | 400 | Output is not escaped | ||
| #3170 | Razorpay Payment Links for WooCommerce | 50 | 16 | 34 | 1k+ | Nonce verification recommended | ||
| #3171 | Section Widget | 50 | 24 | 35 | 500 | Nonce verification recommended | ||
| #3172 | Sözleşmeler | 50 | 6 | 36 | 1k+ | Input is not sanitized | ||
| #3173 | Theme Demo Import | 50 | 101 | 95 | 5k+ | Non-prefixed hook name | ||
| #3174 | TrustedSite | 50 | 29 | 14 | 20k+ | Output is not escaped | ||
| #3175 | BestWebSoft's Twitter | 50 | 477 | 174 | 900 | Text Domain Mismatch | ||
| #3176 | Ultimate Floating Widgets – Make popup sidebars | 50 | 48 | 14 | 3k+ | Output is not escaped | ||
| #3177 | Veeqo for WooCommerce | 50 | 30 | 17 | 700 | Missing direct file access protection | ||
| #3178 | Calculadora de Frete e Campos Checkout para o Brasil | 50 | 1 | 138 | 5k+ | Missing nonce verification | ||
| #3179 | WRC Pricing Tables – Responsive CSS3 Pricing Tables | 50 | 5 | 96 | 2k+ | Missing nonce verification | ||
| #3180 | Cart Popup for WooCommerce | 51 | 9 | 115 | 9k+ | Non-prefixed global variable | ||
| #3181 | AVIF Uploader | 51 | 49 | 44 | 4k+ | Missing Arg Domain | ||
| #3182 | Feeds for TikTok – Display Video Feeds in Grid Layouts | 51 | 18 | 59 | 1k+ | Request data is not unslashed | ||
| #3183 | WPML Multilingual for BuddyPress and BuddyBoss | 51 | 18 | 21 | 6k+ | SQL query is not prepared | ||
| #3184 | CloudFilt Bot & Spam Protection | 51 | 11 | 22 | 600 | Output is not escaped | ||
| #3185 | Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress | 51 | 3 | 116 | 1k+ | Missing nonce verification | ||
| #3186 | Dynamic Pricing and Discount Rules | 51 | 24 | 65 | 1k+ | Non Singular String Literal Text | ||
| #3187 | Gravity Forms No CAPTCHA reCAPTCHA | 51 | 30 | 17 | 10k+ | Text Domain Mismatch | ||
| #3188 | Hide Admin Bar | 51 | 35 | 17 | 20k+ | Unsafe printing function | ||
| #3189 | Interactive Globes – 3D World Maps | 51 | 24 | 104 | 400 | Non-prefixed global variable | ||
| #3190 | POLi Payments for WooCommerce | 51 | 62 | 26 | 500 | Text Domain Mismatch | ||
| #3191 | Quotes and Tips by BestWebSoft | 51 | 485 | 190 | 1k+ | Text Domain Mismatch | ||
| #3192 | Security-Protection | 51 | 5 | 32 | 400 | Missing nonce verification | ||
| #3193 | Popular Brand Icons – Simple Icons | 51 | 20 | 12 | 3k+ | Output is not escaped | ||
| #3194 | Redirect | 51 | 26 | 12 | 5k+ | Output is not escaped | ||
| #3195 | Star Rating Field For Contact Form 7 | 51 | 36 | 7 | 800 | Output is not escaped | ||
| #3196 | StoryChief | 51 | 12 | 55 | 1k+ | Input is not sanitized | ||
| #3197 | The Paste | 51 | 19 | 11 | 10k+ | Unsafe printing function | ||
| #3198 | Trustpilot Reviews | 51 | 14 | 52 | 30k+ | Missing nonce verification | ||
| #3199 | Payment Gateway Payoneer For WooCommerce | 51 | 9 | 35 | 900 | Input is not validated | ||
| #3200 | Swift SMTP (formerly Welcome Email Editor) | 51 | 12 | 62 | 7k+ | Missing nonce verification |