WordPress.Security.NonceVerification.Missing
Missing nonce verification
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Why It Shows Up
The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.
Why It Matters
Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.
How to Fix
- Add a nonce to the form, link, AJAX request, or REST request.
- Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
- Keep capability checks separate; nonces prove intent, not permission.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3651 | Cool FormKit Lite – Advanced Form Builder for Elementor | 94 | 5 | 24 | 20k+ | Non-prefixed constant | ||
| #3652 | Login Lockdown & Protection | 94 | 5 | 15 | 100k+ | Non-prefixed global variable | ||
| #3653 | Marquee Addons for Elementor – Essential Motion Widgets & Templates | 94 | 2 | 24 | 20k+ | Post Not In exclude | ||
| #3654 | StyleAI | 94 | 1 | 4 | 400 | Missing nonce verification | ||
| #3655 | Clean Filenames | 94 | 2 | 4 | 3k+ | Missing nonce verification | ||
| #3656 | WPC Product FAQs for WooCommerce | 94 | 20 | 1k+ | Non-prefixed class | |||
| #3657 | First Order Coupon Manager for WooCommerce | 95 | 10 | 3 | 900 | Text Domain Mismatch | ||
| #3658 | WPC Product Timer for WooCommerce | 95 | 17 | 3k+ | Non-prefixed class |