WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3251Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More5544647k+Text Domain Mismatch
#3252Trusona for WordPress55834500Non-prefixed function
#3253VS Contact Form5533187k+Non-prefixed global variable
#3254VK Block Patterns55861100k+Non-prefixed function
#3255WP Ultimate Review552338170k+Non-prefixed global variable
#3256WPC Smart Messages for WooCommerce556841k+Non-prefixed global variable
#3257Yext Plugin551623800Non-prefixed function
#3258All in One SEO Pack Importer561725500Direct Query
#3259Anti-Captcha (anti-spam botblocker)5623261k+rand mt rand
#3260SMTP by BestWebSoft564861751k+Text Domain Mismatch
#3261CHEQ Essentials561449700Request data is not unslashed
#3262Karma Music Player by Kadar56479700Output is not escaped
#3263Kwayy HTML Sitemap5613196k+Missing nonce verification
#3264LearnPress – Course Wishlist56352220k+Output is not escaped
#3265CIELO API PIX, credit card, debit payment for WooCommerce5611121700Nonce verification recommended
#3266MAS Brands for WooCommerce56801510k+Text Domain Mismatch
#3267reCAPTCHA for Ninja Forms56219600Output is not escaped
#3268Maya Business Plugin56939600Input is not validated
#3269Replace Protected Password56618600Input is not sanitized
#3270Seed Social563676k+Output is not escaped
#3271Simple Org Chart561529900Missing Version
#3272Export & Import WPBakery Page Builder5612209k+Missing nonce verification
#3273WC Moneris Payment Gateway568220900Text Domain Mismatch
#3274BestWebSoft’s Pinterest57490176500Text Domain Mismatch
#3275Cache-Control572641k+Output is not escaped
#3276Easy GDPR Consent Forms – MailChimp577222500Text Domain Mismatch
#3277Hide Admin Notices5791620k+Input is not sanitized
#3278Jquery Validation For Contact Form 75716199k+Missing direct file access protection
#3279JSON API User5717341k+Non-prefixed hook name
#3280Public Post Preview57811100k+Nonce verification recommended
#3281Remove admin menus by role575548k+Input is not validated
#3282Search Exclude57734050k+Text Domain Mismatch
#3283Timologia for WooCommerce5775223k+Text Domain Mismatch
#3284Admin Page Notes581715700Text Domain Mismatch
#3285Web Accessibility Toolkit – Accessibility Checker & ARIA for WCAG, Section 508 & ADA Compliance58921500Output is not escaped
#3286Basic User Avatars5817720k+Output is not escaped
#3287Error Log Viewer by BestWebSoft584331726k+Text Domain Mismatch
#3288Flexible FAQ5827261k+Text Domain Mismatch
#3289Houzez WooCommerce Addon5822214k+Missing Translators Comment
#3290PageLoader Lite – Loading Screen582917700Output is not escaped
#3291Quickcreator – AI Blog Writer581418500Exception output is not escaped
#3292Simple CSS for widgets5811151k+Missing nonce verification
#3293SportsPress for Basketball58104341k+Text Domain Mismatch
#3294SportsPress for Football (Soccer)58107346k+Text Domain Mismatch
#3295SportsPress for Volleyball5810734500Text Domain Mismatch
#3296Posts Order5959201k+Text Domain Mismatch
#3297Disabled Source, Disabled Right Click and Content Protection5963310k+Nonce verification recommended
#3298File Upload For WPForms – Filenzo598161k+Output is not escaped
#3299GDPR Data Request Form5922195k+Missing direct file access protection
#3300Getty Images5911462k+Missing nonce verification