WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

For admin forms and action links, add and verify a nonce.
For AJAX handlers, use `check_ajax_referer()`.
For public read-only endpoints, document why a nonce is not required and keep input validation strict.

References

WordPress nonces

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Added	Updated	Top Issue
#101	Paysera Payment Gateway for WooCommerce	21	1,866	195	7k+	8 years ago	20 days ago	Exception output is not escaped
#102	WooCommerce	21	1,359	6,172	7m+	15 years ago	28 days ago	Non-prefixed global variable
#103	Pay For Post with WooCommerce	21	960	1,474	1k+	12 years ago	5 months ago	Non-prefixed global variable
#104	PPOM – Product Addons & Custom Fields for WooCommerce	21	336	1,322	20k+	11 years ago	today	Non-prefixed global variable
#105	Wordfence Security – Firewall, Malware Scan, and Login Security	21	1,592	2,973	5m+	14 years ago	1 month ago	Output is not escaped
#106	WP Compress – Instant Performance & Speed Optimization	21	3,349	3,218	10k+	8 years ago	today	Non Singular String Literal Domain
#107	WP-Lister Lite for eBay	21	6,697	5,129	2k+	14 years ago	21 days ago	Output is not escaped
#108	WP phpMyAdmin	21	4,528	6,435	50k+	8 years ago	8 months ago	Missing Arg Domain
#109	wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin	21	1,811	1,432	70k+	11 years ago	today	Output is not escaped
#110	Premium Packages – Sell Digital Products Securely	21	2,765	2,444	3k+	8 years ago	6 months ago	Output is not escaped
#111	WPScan – WordPress Security Scanner	21	527	265	8k+	7 years ago	5 months ago	Text Domain Mismatch
#112	Frontend Admin by DynamiApps	22	5,922	3,208	10k+	7 years ago	7 days ago	Text Domain Mismatch
#113	Advanced Classifieds & Directory Pro	22	1,229	3,511	2k+	10 years ago	today	Non-prefixed global variable
#114	Advanced Form Integration — Connect Forms to 200+ Apps	22	5,771	4,678	10k+	7 years ago	6 days ago	wp function not compatible with requires wp
#115	Ajax Load More – Infinite Scroll, Load More, & Lazy Load	22	641	595	40k+	12 years ago	20 days ago	Unsafe printing function
#116	All-in-One Video Gallery	22	911	2,892	20k+	9 years ago	yesterday	Non-prefixed global variable
#117	Booking for Appointments and Events Calendar – Amelia	22	1,489	480	90k+	8 years ago	6 days ago	Exception output is not escaped
#118	Shortcodes and extra features for Phlox theme	22	413	426	90k+	10 years ago	2 months ago	Output is not escaped
#119	Knowledge Base documentation & wiki plugin – BasePress Docs	22	671	1,767	2k+	9 years ago	5 months ago	Non-prefixed global variable
#120	Borderless – Addons and Templates for Elementor	22	438	1,388	5k+	5 years ago	7 months ago	Non-prefixed global variable
#121	Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots	22	1,604	2,019	10k+	9 years ago	14 days ago	Direct Query
#122	BuddyPress	22	583	9,008	100k+	17 years ago	9 months ago	Non-prefixed function
#123	Better WordPress Minify	22	412	484	8k+	15 years ago	9 years ago	Non Singular String Literal Domain
#124	Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms	22	493	295	10k+	9 years ago	3 months ago	Text Domain Mismatch
#125	Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer	22	2,858	1,270	50k+	9 years ago	2 months ago	Text Domain Mismatch
#126	Code Profiler – WordPress Performance Profiling and Debugging Made Easy	22	265	400	8k+	5 years ago	12 days ago	Non-prefixed global variable
#127	Passster – Password Protect Pages and Content	22	539	1,419	10k+	13 years ago	22 days ago	Non-prefixed global variable
#128	RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login	22	3,654	5,061	8k+	12 years ago	2 days ago	Non-prefixed global variable
#129	WP Customer Area	22	3,308	941	10k+	13 years ago	2 months ago	Text Domain Mismatch
#130	SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager	22	746	852	8k+	5 years ago	today	Non-prefixed global variable
#131	Data Tables Generator by Supsystic	22	157	150	10k+	11 years ago	today	Exception output is not escaped
#132	Directorist: AI-Powered Business Directory, Listings & Classified Ads	22	443	2,129	20k+	9 years ago	15 days ago	Non-prefixed global variable
#133	Download Manager	22	2,290	1,301	100k+	16 years ago	8 days ago	Output is not escaped
#134	Dynamic QR Code – generator	22	238	208	6k+	4 years ago	1 year ago	Missing direct file access protection
#135	E2Pdf – Export Pdf Tool for WordPress	22	1,075	836	10k+	8 years ago	8 days ago	Unsafe printing function
#136	Easy Social Feed – Social Photos Gallery and Post Feed for WordPress	22	1,567	1,277	30k+	12 years ago	2 months ago	Non-prefixed global variable
#137	EleSpare – News, Magazine and Blog Addons for Elementor	22	733	1,423	10k+	5 years ago	29 days ago	Non-prefixed global variable
#138	Estatik Real Estate Plugin	22	3,049	325	10k+	11 years ago	11 days ago	Text Domain Mismatch
#139	Events Manager – Calendar, Bookings, Tickets, and more!	22	4,722	5,621	70k+	18 years ago	5 days ago	Output is not escaped
#140	Falang multilanguage for WordPress	22	716	769	1k+	7 years ago	13 days ago	Output is not escaped
#141	File Manager Pro – Filester	22	565	391	100k+	6 years ago	1 month ago	Request data is not unslashed
#142	Finale Lite – Sales Countdown Timer & Discount for WooCommerce	22	1,031	451	4k+	9 years ago	1 year ago	Output is not escaped
#143	FireBox Popups – Increase Sales and Grow Your Email List	22	153	812	7k+	5 years ago	9 days ago	Non-prefixed global variable
#144	Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	22	409	236	700k+	8 years ago	15 days ago	Text Domain Mismatch
#145	Notification Bar, Announcement and Cookie Notice WordPress Plugin – FooBar	22	1,321	1,371	3k+	15 years ago	1 month ago	Non-prefixed global variable
#146	Five Star Restaurant Menu and Food Ordering	22	752	609	5k+	13 years ago	21 days ago	Output is not escaped
#147	GeoDirectory – WP Business Directory Plugin and Classified Listings Directory	22	4,466	3,972	10k+	12 years ago	today	Output is not escaped
#148	Anti-Malware Security and Brute-Force Firewall	22	544	965	100k+	14 years ago	4 months ago	Output is not escaped
#149	Gutenberg	22	628	342	300k+	9 years ago	7 days ago	Missing direct file access protection
#150	Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms	22	1,037	722	20k+	8 years ago	28 days ago	Unsafe printing function