WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3251 | Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More | 55 | 44 | 64 | 7k+ | Text Domain Mismatch | ||
| #3252 | Trusona for WordPress | 55 | 8 | 34 | 500 | Non-prefixed function | ||
| #3253 | VS Contact Form | 55 | 3 | 318 | 7k+ | Non-prefixed global variable | ||
| #3254 | VK Block Patterns | 55 | 8 | 61 | 100k+ | Non-prefixed function | ||
| #3255 | WP Ultimate Review | 55 | 23 | 381 | 70k+ | Non-prefixed global variable | ||
| #3256 | WPC Smart Messages for WooCommerce | 55 | 6 | 84 | 1k+ | Non-prefixed global variable | ||
| #3257 | Yext Plugin | 55 | 16 | 23 | 800 | Non-prefixed function | ||
| #3258 | All in One SEO Pack Importer | 56 | 17 | 25 | 500 | Direct Query | ||
| #3259 | Anti-Captcha (anti-spam botblocker) | 56 | 23 | 26 | 1k+ | rand mt rand | ||
| #3260 | SMTP by BestWebSoft | 56 | 486 | 175 | 1k+ | Text Domain Mismatch | ||
| #3261 | CHEQ Essentials | 56 | 14 | 49 | 700 | Request data is not unslashed | ||
| #3262 | Karma Music Player by Kadar | 56 | 47 | 9 | 700 | Output is not escaped | ||
| #3263 | Kwayy HTML Sitemap | 56 | 13 | 19 | 6k+ | Missing nonce verification | ||
| #3264 | LearnPress – Course Wishlist | 56 | 35 | 22 | 20k+ | Output is not escaped | ||
| #3265 | CIELO API PIX, credit card, debit payment for WooCommerce | 56 | 11 | 121 | 700 | Nonce verification recommended | ||
| #3266 | MAS Brands for WooCommerce | 56 | 80 | 15 | 10k+ | Text Domain Mismatch | ||
| #3267 | reCAPTCHA for Ninja Forms | 56 | 21 | 9 | 600 | Output is not escaped | ||
| #3268 | Maya Business Plugin | 56 | 9 | 39 | 600 | Input is not validated | ||
| #3269 | Replace Protected Password | 56 | 6 | 18 | 600 | Input is not sanitized | ||
| #3270 | Seed Social | 56 | 36 | 7 | 6k+ | Output is not escaped | ||
| #3271 | Simple Org Chart | 56 | 15 | 29 | 900 | Missing Version | ||
| #3272 | Export & Import WPBakery Page Builder | 56 | 12 | 20 | 9k+ | Missing nonce verification | ||
| #3273 | WC Moneris Payment Gateway | 56 | 82 | 20 | 900 | Text Domain Mismatch | ||
| #3274 | BestWebSoft’s Pinterest | 57 | 490 | 176 | 500 | Text Domain Mismatch | ||
| #3275 | Cache-Control | 57 | 26 | 4 | 1k+ | Output is not escaped | ||
| #3276 | Easy GDPR Consent Forms – MailChimp | 57 | 72 | 22 | 500 | Text Domain Mismatch | ||
| #3277 | Hide Admin Notices | 57 | 9 | 16 | 20k+ | Input is not sanitized | ||
| #3278 | Jquery Validation For Contact Form 7 | 57 | 16 | 19 | 9k+ | Missing direct file access protection | ||
| #3279 | JSON API User | 57 | 17 | 34 | 1k+ | Non-prefixed hook name | ||
| #3280 | Public Post Preview | 57 | 8 | 11 | 100k+ | Nonce verification recommended | ||
| #3281 | Remove admin menus by role | 57 | 5 | 54 | 8k+ | Input is not validated | ||
| #3282 | Search Exclude | 57 | 73 | 40 | 50k+ | Text Domain Mismatch | ||
| #3283 | Timologia for WooCommerce | 57 | 75 | 22 | 3k+ | Text Domain Mismatch | ||
| #3284 | Admin Page Notes | 58 | 17 | 15 | 700 | Text Domain Mismatch | ||
| #3285 | Web Accessibility Toolkit – Accessibility Checker & ARIA for WCAG, Section 508 & ADA Compliance | 58 | 9 | 21 | 500 | Output is not escaped | ||
| #3286 | Basic User Avatars | 58 | 17 | 7 | 20k+ | Output is not escaped | ||
| #3287 | Error Log Viewer by BestWebSoft | 58 | 433 | 172 | 6k+ | Text Domain Mismatch | ||
| #3288 | Flexible FAQ | 58 | 27 | 26 | 1k+ | Text Domain Mismatch | ||
| #3289 | Houzez WooCommerce Addon | 58 | 22 | 21 | 4k+ | Missing Translators Comment | ||
| #3290 | PageLoader Lite – Loading Screen | 58 | 29 | 17 | 700 | Output is not escaped | ||
| #3291 | Quickcreator – AI Blog Writer | 58 | 14 | 18 | 500 | Exception output is not escaped | ||
| #3292 | Simple CSS for widgets | 58 | 11 | 15 | 1k+ | Missing nonce verification | ||
| #3293 | SportsPress for Basketball | 58 | 104 | 34 | 1k+ | Text Domain Mismatch | ||
| #3294 | SportsPress for Football (Soccer) | 58 | 107 | 34 | 6k+ | Text Domain Mismatch | ||
| #3295 | SportsPress for Volleyball | 58 | 107 | 34 | 500 | Text Domain Mismatch | ||
| #3296 | Posts Order | 59 | 59 | 20 | 1k+ | Text Domain Mismatch | ||
| #3297 | Disabled Source, Disabled Right Click and Content Protection | 59 | 6 | 33 | 10k+ | Nonce verification recommended | ||
| #3298 | File Upload For WPForms – Filenzo | 59 | 8 | 16 | 1k+ | Output is not escaped | ||
| #3299 | GDPR Data Request Form | 59 | 22 | 19 | 5k+ | Missing direct file access protection | ||
| #3300 | Getty Images | 59 | 11 | 46 | 2k+ | Missing nonce verification |