WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

  • For admin forms and action links, add and verify a nonce.
  • For AJAX handlers, use `check_ajax_referer()`.
  • For public read-only endpoints, document why a nonce is not required and keep input validation strict.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1051Translate WordPress with ConveyThis – AI Multilingual Plugin261592971k+Non-prefixed global variable
#1052CP Multi View Events Calendar2686439900Non-prefixed global variable
#1053Cyclone Demo Importer261,77844810k+Text Domain Mismatch
#1054WP Frontend Admin – Display WP Admin Pages in the Frontend26347337400Non Singular String Literal Domain
#1055Ditty – Responsive News Tickers, Sliders, and Lists2656148430k+Output is not escaped
#1056Accept Donations with PayPal & Stripe2691657210k+Unsafe printing function
#1057ELEX WooCommerce Google Shopping (Google Product Feed)262262421k+Text Domain Mismatch
#1058Event Monster – Event Manager, Ticket Booking & Registration26781781600Non-prefixed global variable
#1059ezCache2612728410k+Direct Query
#1060RSS Redirect & Feedburner Alternative262772721k+Output is not escaped
#1061FlagShip WooCommerce Shipping26495188400Non Singular String Literal Domain
#1062Fluent Support – Helpdesk & Customer Support Ticket System269227210k+Direct Query
#1063Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager2611359790k+Non-prefixed global variable
#1064FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.)265944172k+Exception output is not escaped
#1065FV Antispam26332239900Output is not escaped
#1066Translate WordPress – Google Language Translator26200317100k+Non-prefixed global variable
#1067GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites26286216500badly named files
#1068Hide Admin Bar Based on User Roles265491,34520k+Non-prefixed global variable
#1069Ibtana – WordPress Website Builder2617340910k+Non-prefixed global variable
#1070Icegram Collect – Easy Form, Lead Collection and Subscription plugin264232922k+Output is not escaped
#1071Integrate Razorpay for Contact Form 72615297500curl curl setopt
#1072Kadence Central – Site Management, Backups, Security, and Reporting2646221330k+Text Domain Mismatch
#1073JustTables – WooCommerce Product Table26534652600Non-prefixed global variable
#1074Kirki – Freeform Page Builder, Website Builder & Customizer26191803500k+Nonce verification recommended
#1075Klarna for WooCommerce2628450730k+Dynamic hook name
#1076Landing Page Cat – Coming Soon & Maintenance Pages2691180600Non-prefixed class
#1077Live Composer – Free WordPress Website Builder261,21142710k+Output is not escaped
#1078Login Widget With Shortcode263351986k+wp function not compatible with requires wp
#1079MakeStories (for Google Web Stories)26117416600Nonce verification recommended
#1080MaxGalleria262785602k+Non-prefixed global variable
#1081Media File Renamer: Rename for better SEO (AI-Powered)2615417040k+Direct Query
#1082Hotel Booking266909404k+Unsafe printing function
#1083Omise Payments263582562k+Output is not escaped
#1084Online Contact Widget-多合一在线客服插件2670880800Non Singular String Literal Domain
#1085OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)262725996k+Request data is not unslashed
#1086Open User Map – Interactive Leaflet Maps2689598810k+Non-prefixed global variable
#1087Organic Builder Widgets – Simple WordPress Page Builder261,0341253k+Output is not escaped
#1088Paytium: Mollie payment forms & donations265065513k+Unsafe printing function
#1089PDF for WPForms + Drag and Drop Template Builder266741131k+wp function not compatible with requires wp
#1090LoginWP (Formerly Peter's Login Redirect)2640127890k+Output is not escaped
#1091Crowdsignal Dashboard – Polls, Surveys & more26481491200k+Unsafe printing function
#1092Polylang2636564800k+Non-prefixed hook name
#1093Portfolio by BestWebSoft – Work and Projects Presentation Plugin for WordPress26525240600Text Domain Mismatch
#1094Premmerce User Roles265971,357600Non-prefixed global variable
#1095Pressidium Cookie Consent262039510k+Exception output is not escaped
#1096Product Table For WooCommerce26191858600Non-prefixed global variable
#1097Profile Extra Fields by BestWebSoft265145322k+Text Domain Mismatch
#1098RestaurantPress26265518600Output is not escaped
#1099Role Based Pricing for Woo by Meow Crew265481,3542k+Non-prefixed global variable
#1100Send Users Email – Email Subscribers, Email Marketing Newsletter261884155k+Non-prefixed global variable