WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

For admin forms and action links, add and verify a nonce.
For AJAX handlers, use `check_ajax_referer()`.
For public read-only endpoints, document why a nonce is not required and keep input validation strict.

References

WordPress nonces

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Added	Updated	Top Issue
#151	EleSpare – News, Magazine and Blog Addons for Elementor	22	733	1,423	10k+	5 years ago	1 month ago	Non-prefixed global variable
#152	Estatik Real Estate Plugin	22	3,049	325	10k+	11 years ago	12 days ago	Text Domain Mismatch
#153	Events Maker by dFactory	22	588	819	1k+	13 years ago	9 years ago	Output is not escaped
#154	Events Manager – Calendar, Bookings, Tickets, and more!	22	4,722	5,621	70k+	18 years ago	6 days ago	Output is not escaped
#155	Falang multilanguage for WordPress	22	716	769	1k+	7 years ago	14 days ago	Output is not escaped
#156	File Manager Pro – Filester	22	565	391	100k+	6 years ago	1 month ago	Request data is not unslashed
#157	Finale Lite – Sales Countdown Timer & Discount for WooCommerce	22	1,031	451	4k+	9 years ago	1 year ago	Output is not escaped
#158	FireBox Popups – Increase Sales and Grow Your Email List	22	153	812	7k+	5 years ago	10 days ago	Non-prefixed global variable
#159	Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	22	409	236	700k+	8 years ago	16 days ago	Text Domain Mismatch
#160	Notification Bar, Announcement and Cookie Notice WordPress Plugin – FooBar	22	1,321	1,371	3k+	15 years ago	1 month ago	Non-prefixed global variable
#161	Five Star Restaurant Menu and Food Ordering	22	752	609	5k+	13 years ago	22 days ago	Output is not escaped
#162	GeoDirectory – WP Business Directory Plugin and Classified Listings Directory	22	4,466	3,972	10k+	12 years ago	yesterday	Output is not escaped
#163	Anti-Malware Security and Brute-Force Firewall	22	544	965	100k+	14 years ago	4 months ago	Output is not escaped
#164	Gutenberg	22	628	342	300k+	9 years ago	8 days ago	Missing direct file access protection
#165	Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms	22	1,037	722	20k+	8 years ago	29 days ago	Unsafe printing function
#166	HeadSpace2 SEO	22	940	360	3k+	19 years ago	9 years ago	Text Domain Mismatch
#167	Csomagpontok és Címkék WooCommerce-hez	22	2,001	769	7k+	5 years ago	22 days ago	Text Domain Mismatch
#168	IMPress for IDX Broker	22	1,085	636	7k+	14 years ago	2 months ago	Text Domain Mismatch
#169	Insert or Embed Articulate Content into WordPress	22	659	1,437	2k+	15 years ago	11 months ago	Non-prefixed global variable
#170	Számlázz.hu integráció WooCommerce-hez	22	1,169	460	7k+	10 years ago	25 days ago	Text Domain Mismatch
#171	InfiniteWP Client	22	2,286	1,812	200k+	14 years ago	4 months ago	Exception output is not escaped
#172	Import WP – Export and Import CSV and XML files to WordPress	22	580	330	4k+	12 years ago	2 months ago	Exception output is not escaped
#173	LearnPress – WordPress LMS Plugin for Create and Sell Online Courses	22	2,361	3,384	70k+	11 years ago	8 days ago	Non-prefixed global variable
#174	Leyka	22	253	3,445	2k+	13 years ago	2 months ago	Request data is not unslashed
#175	Custom Login Page Customizer – Login Designer	22	588	1,455	30k+	9 years ago	8 months ago	Non-prefixed global variable
#176	MailOptin – Popup, Optin Forms & Email Newsletters for Mailchimp, HubSpot, AWeber Etc.	22	2,619	2,453	10k+	9 years ago	6 days ago	Output is not escaped
#177	Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider	22	207	323	500k+	13 years ago	14 days ago	Non-prefixed global variable
#178	Modula Image Gallery – Photo Grid & Video Gallery	22	474	436	100k+	11 years ago	9 days ago	Text Domain Mismatch
#179	Molongui Authorship – Author Boxes, Guest Authors & Co-Authors for WordPress	22	919	1,230	10k+	11 years ago	4 months ago	Output is not escaped
#180	Moloni	22	902	356	2k+	7 years ago	2 months ago	Missing Arg Domain
#181	Motors – Car Dealership & Classified Listings Plugin	22	5,340	5,958	9k+	9 years ago	7 days ago	Text Domain Mismatch
#182	Newsletters	22	2,968	2,248	2k+	12 years ago	6 days ago	Text Domain Mismatch
#183	NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall	22	1,265	2,065	100k+	13 years ago	18 days ago	Non-prefixed global variable
#184	NinjaScanner – Virus & Malware scan	22	596	551	30k+	9 years ago	16 days ago	Non-prefixed global variable
#185	WP OAuth Server (OAuth Authentication)	22	189	347	3k+	13 years ago	5 months ago	Non-prefixed function
#186	oik	22	489	180	2k+	15 years ago	7 months ago	Non Singular String Literal Domain
#187	PagBank / PagSeguro Connect para WooCommerce	22	504	743	4k+	2 years ago	2 days ago	Non-prefixed global variable
#188	PAYCOMET for WooCommerce	22	1,206	423	2k+	11 years ago	8 days ago	Text Domain Mismatch
#189	Smart Popup by Supsystic	22	3,172	503	10k+	11 years ago	25 days ago	Non Singular String Literal Domain
#190	Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App	22	1,581	2,326	300k+	9 years ago	yesterday	Non-prefixed global variable
#191	Prime Mover – Migrate WordPress Website & Backups	22	1,326	1,600	10k+	7 years ago	19 days ago	Non-prefixed global variable
#192	Product Catalog Feed by PixelYourSite	22	581	357	8k+	10 years ago	3 years ago	Output is not escaped
#193	PageSpeed Ninja – Cache, Minify, Defer CSS JavaScript, Critical CSS, Optimize Images, Convert WebP	22	984	407	5k+	9 years ago	2 years ago	Unsafe printing function
#194	Quick Contact Form	22	260	623	1k+	14 years ago	6 months ago	Non-prefixed function
#195	RabbitLoader Cache: Optimize your Website for Speed	22	241	163	2k+	5 years ago	6 days ago	Output is not escaped
#196	Request a Quote Form Plugin – Price Quote Request Management Made Easy	22	241	1,109	1k+	10 years ago	4 months ago	Non-prefixed hook name
#197	Restrict User Access – Ultimate Membership & Content Protection	22	977	1,840	10k+	11 years ago	9 months ago	Non-prefixed global variable
#198	SALESmanago & Leadoo	22	645	429	1k+	9 years ago	2 months ago	Unsafe printing function
#199	Salon Booking System – Free Version	22	650	619	2k+	11 years ago	12 days ago	Missing direct file access protection
#200	Social Sharing Plugin – Sassy Social Share	22	1,689	233	100k+	11 years ago	9 months ago	wp function not compatible with requires wp