WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1501 | Apaczka.pl WooCommerce | 31 | 99 | 276 | 1k+ | Non-prefixed global variable | ||
| #1502 | Asgaros Forum | 31 | 167 | 412 | 10k+ | Output is not escaped | ||
| #1503 | AI ChatBot with ChatGPT and Content Generator by AYS | 31 | 170 | 378 | 400 | Non-prefixed global variable | ||
| #1504 | Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam | 31 | 598 | 70 | 700 | Text Domain Mismatch | ||
| #1505 | Яндекс Доставка (Boxberry) | 31 | 46 | 150 | 500 | Missing nonce verification | ||
| #1506 | Buy Me a Coffee – Button and Widget Plugin | 31 | 138 | 140 | 6k+ | Output is not escaped | ||
| #1507 | CashBill.pl – Płatności WooCommerce | 31 | 181 | 101 | 900 | Output is not escaped | ||
| #1508 | cformsII | 31 | 777 | 536 | 3k+ | Unsafe printing function | ||
| #1509 | Newsletter Sign-Up for CleverReach | 31 | 174 | 72 | 2k+ | Output is not escaped | ||
| #1510 | CleverReach® WP | 31 | 103 | 93 | 4k+ | Non-prefixed global variable | ||
| #1511 | Co-marquage service-public.fr | 31 | 84 | 213 | 1k+ | Non-prefixed global variable | ||
| #1512 | Codeless Page Builder | 31 | 415 | 258 | 900 | Text Domain Mismatch | ||
| #1513 | Cookie Dough Compliance and Consent for GDPR | 31 | 539 | 452 | 500 | Non Singular String Literal Domain | ||
| #1514 | Copy Anything to Clipboard for WordPress – Copy Button, Copy Text & Copy Code | 31 | 525 | 131 | 10k+ | Text Domain Mismatch | ||
| #1515 | Theme Demo Importer and Patterns Library for CozyThemes – Cozy Essential Addons | 31 | 393 | 329 | 6k+ | Missing direct file access protection | ||
| #1516 | Crowdfundly | 31 | 594 | 402 | 500 | Output is not escaped | ||
| #1517 | Custom WP Store Locator | 31 | 26 | 245 | 400 | Non-prefixed global variable | ||
| #1518 | DirectoryPress Frontend | 31 | 402 | 563 | 800 | Non-prefixed global variable | ||
| #1519 | Domain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional) | 31 | 113 | 233 | 2k+ | Non-prefixed namespace | ||
| #1520 | Download Plugin | 31 | 78 | 102 | 60k+ | Output is not escaped | ||
| #1521 | Up2pay e-Transactions WooCommerce Payment Gateway | 31 | 459 | 175 | 4k+ | Text Domain Mismatch | ||
| #1522 | EnvoThemes Demo Import | 31 | 221 | 140 | 3k+ | Output is not escaped | ||
| #1523 | Export Order Items for WooCommerce | 31 | 100 | 108 | 1k+ | Text Domain Mismatch | ||
| #1524 | Express Checkout via PayPal for WooCommerce | 31 | 158 | 200 | 800 | Nonce verification recommended | ||
| #1525 | افزونه پیامک حرفه ای فراز اس ام اس | 31 | 89 | 180 | 1k+ | wp function not compatible with requires wp | ||
| #1526 | FraudLabs Pro for WooCommerce | 31 | 169 | 213 | 1k+ | Request data is not unslashed | ||
| #1527 | g-FFL Checkout | 31 | 249 | 300 | 600 | Request data is not unslashed | ||
| #1528 | WP Gravity Forms Constant Contact Plugin | 31 | 684 | 164 | 600 | Text Domain Mismatch | ||
| #1529 | GS Pinterest Portfolio – Pins Grid, Masonry, User Profile, Popup & Board Widgets | 31 | 402 | 156 | 1k+ | Text Domain Mismatch | ||
| #1530 | HFD ePost Integration | 31 | 186 | 110 | 1k+ | Text Domain Mismatch | ||
| #1531 | OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. | 31 | 213 | 62 | 300k+ | Output is not escaped | ||
| #1532 | HT Easy GA4 – Google Analytics WordPress Plugin | 31 | 475 | 93 | 6k+ | Text Domain Mismatch | ||
| #1533 | HT Mega – Absolute Addons for WPBakery Page Builder | 31 | 2,740 | 115 | 900 | Text Domain Mismatch | ||
| #1534 | Image Hotspot – Map Image Annotation | 31 | 95 | 287 | 3k+ | Non-prefixed global variable | ||
| #1535 | ImgSEO – AI Image Alt Text Generator & Image SEO Tools | 31 | 1 | 677 | 400 | Direct Query | ||
| #1536 | Interactive Image Map Builder | 31 | 160 | 381 | 1k+ | Non-prefixed global variable | ||
| #1537 | Kindeditor For WordPress | 31 | 63 | 130 | 500 | Non-prefixed global variable | ||
| #1538 | Keywords to Links Converter | 31 | 288 | 144 | 700 | Text Domain Mismatch | ||
| #1539 | Login rebuilder | 31 | 406 | 226 | 20k+ | Non Singular String Literal Domain | ||
| #1540 | Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity | 31 | 122 | 131 | 2k+ | Output is not escaped | ||
| #1541 | MainWP Dashboard: Self-hosted WordPress Management for Agencies | 31 | 95 | 317 | 20k+ | Interpolated SQL is not prepared | ||
| #1542 | Melapress Login Security | 31 | 69 | 278 | 2k+ | Non-prefixed global variable | ||
| #1543 | Nova Blocks by Pixelgrade | 31 | 209 | 110 | 800 | Output is not escaped | ||
| #1544 | Openpay Cards Plugin | 31 | 166 | 105 | 3k+ | Text Domain Mismatch | ||
| #1545 | Patreon WordPress | 31 | 276 | 339 | 3k+ | Output is not escaped | ||
| #1546 | PayKeeper Payment Gateway for WooCommerce | 31 | 113 | 44 | 500 | Non Singular String Literal Domain | ||
| #1547 | افزونه پیامک ووکامرس Persian WooCommerce SMS | 31 | 72 | 269 | 40k+ | Nonce verification recommended | ||
| #1548 | Podamibe Simple Footer Widget Area | 31 | 596 | 57 | 2k+ | wp function not compatible with requires wp | ||
| #1549 | Pop-up | 31 | 103 | 91 | 10k+ | Output is not escaped | ||
| #1550 | Portfolio, Gallery, Product Catalog – Grid KIT Portfolio | 31 | 61 | 329 | 6k+ | Non-prefixed global variable |