WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3301 | HTTP Headers | 59 | 20 | 43 | 50k+ | Nonce verification recommended | ||
| #3302 | JetSticky For Elementor | 59 | 13 | 38 | 30k+ | Nonce verification recommended | ||
| #3303 | Lazy Loader | 59 | 6 | 24 | 9k+ | Nonce verification recommended | ||
| #3304 | Multiple Packages for WooCommerce | 59 | 34 | 4 | 600 | Text Domain Mismatch | ||
| #3305 | Scrollbar | 59 | 7 | 22 | 400 | Missing nonce verification | ||
| #3306 | Side Menu Lite – Sticky Floating Side Menu | 59 | 9 | 123 | 7k+ | Non-prefixed global variable | ||
| #3307 | WC Korkmaz Contract – Contracts for WooCommerce | 59 | 7 | 38 | 500 | Non-prefixed global variable | ||
| #3308 | Payment Gateway for LiqPay for Woocommerce | 59 | 84 | 31 | 1k+ | Text Domain Mismatch | ||
| #3309 | GST Invoice for WooCommerce | 59 | 10 | 42 | 1k+ | Missing nonce verification | ||
| #3310 | RevivePress – Keep your Old Content Evergreen | 59 | 27 | 46 | 5k+ | date date | ||
| #3311 | Add Google re captcha in WordPress Forms | 59 | 16 | 16 | 500 | Output is not escaped | ||
| #3312 | WPML Widgets | 59 | 9 | 9 | 9k+ | Unsafe printing function | ||
| #3313 | Post Blocks & Tools | 60 | 9 | 46 | 400 | Missing nonce verification | ||
| #3314 | Contact Form 7 – Phone mask field | 60 | 21 | 7 | 20k+ | Unsafe printing function | ||
| #3315 | Contact Form 7 Modules | 60 | 47 | 15 | 5k+ | Text Domain Mismatch | ||
| #3316 | EPROLO-Dropshipping | 60 | 16 | 34 | 1k+ | Missing nonce verification | ||
| #3317 | Freshchat | 60 | 16 | 10 | 1k+ | Output is not escaped | ||
| #3318 | RealHomes PayPal Payments | 60 | 55 | 23 | 400 | Non Singular String Literal Domain | ||
| #3319 | MultiStep Checkout for WooCommerce | 60 | 46 | 57 | 4k+ | Non Singular String Literal Text | ||
| #3320 | WoowGallery | 60 | 15 | 178 | 1k+ | Non-prefixed global variable | ||
| #3321 | WPB Popup for Contact Form 7 – Showing Contact Form 7 Popup on Button Click | 60 | 21 | 9 | 6k+ | Output is not escaped | ||
| #3322 | WPSSO Schema Product Metadata for WooCommerce | 60 | 33 | 23 | 500 | Missing Translators Comment | ||
| #3323 | Creative Commons | 61 | 103 | 17 | 700 | Text Domain Mismatch | ||
| #3324 | Disable Right Click For WP | 61 | 15 | 12 | 10k+ | Missing nonce verification | ||
| #3325 | Documents for WooCommerce | 61 | 16 | 13 | 500 | Output is not escaped | ||
| #3326 | Multiple Post Passwords | 61 | 13 | 15 | 2k+ | Output is not escaped | ||
| #3327 | Post/Page Import Export – Migrate Content with Custom Fields & Taxonomies | 61 | 12 | 27 | 400 | Input is not sanitized | ||
| #3328 | Qikink Print On Demand and DropShipping | 61 | 14 | 23 | 1k+ | Input is not validated | ||
| #3329 | SHK Hide Title | 61 | 19 | 4 | 3k+ | Output is not escaped | ||
| #3330 | Simple User Avatar | 61 | 8 | 14 | 20k+ | Output is not escaped | ||
| #3331 | HuCommerce | Magyar kiegészítések WooCommerce webáruházakhoz | 61 | 17 | 194 | 10k+ | Non-prefixed function | ||
| #3332 | Team Showcase | 61 | 1 | 125 | 1k+ | slow db query meta key | ||
| #3333 | Two Factor (2FA) Authentication via Email | 61 | 12 | 27 | 9k+ | Request data is not unslashed | ||
| #3334 | whatwedo ACF Cleaner | 61 | 8 | 20 | 800 | Input is not validated | ||
| #3335 | Products Restricted Users for WooCommerce | 61 | 31 | 24 | 400 | wp function not compatible with requires wp | ||
| #3336 | Show Variations as Single Products for WooCommerce | 61 | 12 | 27 | 500 | Unsafe printing function | ||
| #3337 | WP-CORS | 61 | 7 | 23 | 1k+ | error log error log | ||
| #3338 | WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce | 61 | 22 | 74 | 1k+ | Non-prefixed global variable | ||
| #3339 | Add Meta Tag Keywords | 62 | 6 | 15 | 1k+ | Missing nonce verification | ||
| #3340 | AMP Contact FORM 7 – AMPCF7 | 62 | 9 | 13 | 500 | Input is not validated | ||
| #3341 | Contact Form 7 – Blacklist Unwanted Email | 62 | 16 | 11 | 400 | Missing direct file access protection | ||
| #3342 | Check for Broken Links – Broken Link Checker & 404 Monitor | 62 | 2 | 32 | 500 | Missing nonce verification | ||
| #3343 | Custom Sidebars by ProteusThemes | 62 | 17 | 23 | 1k+ | Missing nonce verification | ||
| #3344 | Dashboard Widget Sidebar | 62 | 9 | 16 | 400 | Input is not validated | ||
| #3345 | Falcon – WordPress Optimizations & Tweaks | 62 | 47 | 66 | 2k+ | Short PHP open tag found | ||
| #3346 | Import entries for Gravity Forms | 62 | 6 | 26 | 500 | Input is not validated | ||
| #3347 | MainWP Key Maker | 62 | 3 | 35 | 4k+ | Input is not sanitized | ||
| #3348 | Proofreading | 62 | 11 | 74 | 5k+ | Direct Query | ||
| #3349 | Easy SSL Plugin for SAKURA Rental Server | 62 | 23 | 17 | 50k+ | Input is not sanitized | ||
| #3350 | Testimonial Carousel For Elementor | 62 | 34 | 56 | 10k+ | No Html Wrapped Strings |