WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

  • Add a nonce to the form, link, AJAX request, or REST request.
  • Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
  • Keep capability checks separate; nonces prove intent, not permission.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3651Cool FormKit Lite – Advanced Form Builder for Elementor9452420k+Non-prefixed constant
#3652Login Lockdown & Protection94515100k+Non-prefixed global variable
#3653Marquee Addons for Elementor – Essential Motion Widgets & Templates9422420k+Post Not In exclude
#3654StyleAI9414400Missing nonce verification
#3655Clean Filenames94243k+Missing nonce verification
#3656WPC Product FAQs for WooCommerce94201k+Non-prefixed class
#3657First Order Coupon Manager for WooCommerce95103900Text Domain Mismatch
#3658WPC Product Timer for WooCommerce95173k+Non-prefixed class