WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3201 | Request a Quote for WooCommerce – Get a Quote Button | 52 | 25 | 12 | 6k+ | Output is not escaped | ||
| #3202 | Podium | 52 | 21 | 23 | 5k+ | Missing direct file access protection | ||
| #3203 | Product Bundles – Variation Bundles | 52 | 23 | 13 | 600 | Output is not escaped | ||
| #3204 | Product Time Countdown for WooCommerce | 52 | 7 | 36 | 400 | Input is not sanitized | ||
| #3205 | Starbox – the Author Box for Humans | 52 | 144 | 19 | 10k+ | Non Singular String Literal Domain | ||
| #3206 | Stealth Publish | 52 | 7 | 22 | 900 | Missing nonce verification | ||
| #3207 | TNC Toolbox: Web Performance | 52 | 20 | 25 | 1k+ | Output is not escaped | ||
| #3208 | Notiqoo – Order Notification & Customer Chat for WooCommerce | 52 | 11 | 187 | 1k+ | Non-prefixed global variable | ||
| #3209 | Wenprise Pinyin Slug | 52 | 30 | 34 | 4k+ | Text Domain Mismatch | ||
| #3210 | Add to Cart Custom Redirect for WooCommerce | 52 | 33 | 13 | 2k+ | Text Domain Mismatch | ||
| #3211 | WP Secure Maintenance | 52 | 28 | 18 | 1k+ | Output is not escaped | ||
| #3212 | Elegant Custom Fonts | 53 | 15 | 17 | 3k+ | Output is not escaped | ||
| #3213 | FakerPress | 53 | 66 | 152 | 10k+ | Non-prefixed global variable | ||
| #3214 | International Telephone Input for Contact Form 7 | 53 | 18 | 10 | 8k+ | Missing direct file access protection | ||
| #3215 | MOBILOOK — Mobile View & Mobile‑Friendly Test | 53 | 10 | 20 | 1k+ | Missing nonce verification | ||
| #3216 | Multiple Post Thumbnails | 53 | 25 | 18 | 20k+ | Output is not escaped | ||
| #3217 | pretix widget | 53 | 25 | 39 | 400 | Non-prefixed global variable | ||
| #3218 | Pure Metafields | 53 | 5 | 130 | 10k+ | Non-prefixed global variable | ||
| #3219 | REST API Featured Image | 53 | 34 | 16 | 700 | Output is not escaped | ||
| #3220 | Simple Copy Post Button | 53 | 14 | 24 | 400 | Input is not sanitized | ||
| #3221 | Simple Masonry Layout | 53 | 28 | 28 | 1k+ | Output is not escaped | ||
| #3222 | Skroutz Analytics for WooCommerce | 53 | 57 | 15 | 1k+ | Text Domain Mismatch | ||
| #3223 | Morning for WooCommerce | 53 | 7 | 59 | 1k+ | Non-prefixed global variable | ||
| #3224 | Widget Context | 53 | 14 | 20 | 40k+ | Non-prefixed hook name | ||
| #3225 | Better Admin Bar | 54 | 27 | 63 | 3k+ | Non-prefixed global variable | ||
| #3226 | Blockskit | 54 | 33 | 29 | 8k+ | Text Domain Mismatch | ||
| #3227 | CSV Importer | 54 | 24 | 11 | 3k+ | Missing direct file access protection | ||
| #3228 | Custom Category Templates | 54 | 11 | 11 | 3k+ | Unsafe printing function | ||
| #3229 | Discount Rules for WooCommerce – Disco | Dynamic Pricing, Conditions, Bulk, Bundle, BOGO | 54 | 1 | 61 | 2k+ | Request data is not unslashed | ||
| #3230 | Easy Elementor Addons – Addons Pack for Elementor Page Builder | 54 | 35 | 68 | 1k+ | Post Not In exclude | ||
| #3231 | Helpie FAQ — Accordion, Docs & Knowledge Base | 54 | 96 | 89 | 9k+ | Nonce verification recommended | ||
| #3232 | Juiz Lang Attribute | 54 | 26 | 27 | 2k+ | Text Domain Mismatch | ||
| #3233 | Simple XML Sitemap Generator | 54 | 8 | 28 | 3k+ | Non-prefixed function | ||
| #3234 | SimplyBook.me – Booking and reservations calendar | 54 | 31 | 13 | 30k+ | Exception output is not escaped | ||
| #3235 | Sp*tify Play Button for WordPress | 54 | 21 | 15 | 3k+ | Text Domain Mismatch | ||
| #3236 | Sticky Floating Forms Lite | 54 | 26 | 29 | 900 | Non-prefixed global variable | ||
| #3237 | WP Resized Image Quality | 54 | 19 | 9 | 800 | Output is not escaped | ||
| #3238 | WP Social Preview | 54 | 33 | 15 | 800 | Non Singular String Literal Domain | ||
| #3239 | YITH Proteo Toolkit | 54 | 130 | 64 | 1k+ | Text Domain Mismatch | ||
| #3240 | Accordions | 55 | 1 | 101 | 20k+ | slow db query meta query | ||
| #3241 | Admin Bar User Switching | 55 | 16 | 31 | 2k+ | Input is not validated | ||
| #3242 | AI Assistant for Elementor – Auto Content Writer, OpenAI, ChatGPT | 55 | 151 | 24 | 400 | Text Domain Mismatch | ||
| #3243 | Ascending Posts by Fly Plugins | 55 | 23 | 13 | 500 | Text Domain Mismatch | ||
| #3244 | Chabok | چابک | 55 | 16 | 31 | 400 | Nonce verification recommended | ||
| #3245 | Easy Quotes | 55 | 11 | 31 | 700 | Direct Query | ||
| #3246 | Email Template Customizer for WooCommerce | 55 | 552 | 248 | 20k+ | Text Domain Mismatch | ||
| #3247 | Holded integration | 55 | 72 | 23 | 2k+ | Non Singular String Literal Domain | ||
| #3248 | JetWidgets For Elementor | 55 | 99 | 279 | 10k+ | Non-prefixed global variable | ||
| #3249 | Landingi Landing Pages | 55 | 18 | 23 | 2k+ | Input is not sanitized | ||
| #3250 | LoginPress | wp-login Custom Login Page Customizer | 55 | 125 | 308 | 200k+ | Non-prefixed function |