WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1951 | Visual Form Builder | 34 | 82 | 329 | 20k+ | Direct Query | ||
| #1952 | Abandoned Cart Reports For WooCommerce | 34 | 133 | 163 | 1k+ | Output is not escaped | ||
| #1953 | Donation Platform for WooCommerce: Fundraising & Donation Management | 34 | 331 | 448 | 7k+ | Non-prefixed global variable | ||
| #1954 | DPD SK for WooCommerce | 34 | 130 | 165 | 700 | Output is not escaped | ||
| #1955 | Pix Automático com Pagarme para WooCommerce | 34 | 68 | 66 | 500 | Non-prefixed global variable | ||
| #1956 | PagHiper Boleto e PIX para WooCommerce | 34 | 29 | 138 | 1k+ | Missing nonce verification | ||
| #1957 | Checkout Field Editor (Checkout Page Manager) for WooCommerce | 34 | 706 | 232 | 2k+ | Text Domain Mismatch | ||
| #1958 | BjornTech PayPal POS integration for WooCommerce | 34 | 68 | 182 | 700 | Non-prefixed hook name | ||
| #1959 | MailerLite – WooCommerce integration | 34 | 65 | 36 | 30k+ | Output is not escaped | ||
| #1960 | PostNL for WooCommerce | 34 | 597 | 104 | 3k+ | Text Domain Mismatch | ||
| #1961 | Simple Discount Rules for Woocommerce | 34 | 175 | 214 | 4k+ | Nonce verification recommended | ||
| #1962 | Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin | 34 | 230 | 154 | 2k+ | Output is not escaped | ||
| #1963 | Advanced Free Shipping for WooCommerce | 34 | 270 | 132 | 40k+ | Text Domain Mismatch | ||
| #1964 | Digital Signature Add-on for WooCommerce | 34 | 165 | 76 | 1k+ | Text Domain Mismatch | ||
| #1965 | Woopra Analytics Plugin | 34 | 114 | 53 | 900 | Output is not escaped | ||
| #1966 | WP Custom Admin Interface | 34 | 263 | 118 | 30k+ | Unsafe printing function | ||
| #1967 | WP Dummy Content Generator | 34 | 93 | 130 | 6k+ | Output is not escaped | ||
| #1968 | WP Dynamic Keywords Injector | 34 | 44 | 205 | 1k+ | Nonce verification recommended | ||
| #1969 | WP Forms Signature Contract Add-On | 34 | 128 | 35 | 900 | Text Domain Mismatch | ||
| #1970 | WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters | 34 | 219 | 453 | 60k+ | wp function not compatible with requires wp | ||
| #1971 | Email Template Designer – WP HTML Mail | 34 | 62 | 80 | 20k+ | badly named files | ||
| #1972 | WP Mail Logging | 34 | 76 | 258 | 300k+ | Nonce verification recommended | ||
| #1973 | LightStart – Maintenance Mode, Coming Soon and Landing Page Builder | 34 | 42 | 312 | 400k+ | Request data is not unslashed | ||
| #1974 | WP Notes Widget | 34 | 217 | 36 | 700 | Output is not escaped | ||
| #1975 | WP Popup Builder – Popup Forms and Marketing Lead Generation | 34 | 357 | 143 | 3k+ | Text Domain Mismatch | ||
| #1976 | WP Random Post Thumbnails | 34 | 420 | 26 | 1k+ | Text Domain Mismatch | ||
| #1977 | Thumbnail Slider With Lightbox | 34 | 244 | 141 | 700 | Output is not escaped | ||
| #1978 | Thumbnail carousel slider | 34 | 277 | 143 | 2k+ | Output is not escaped | ||
| #1979 | WP SendFox | 34 | 296 | 118 | 1k+ | Text Domain Mismatch | ||
| #1980 | WP Subscription Forms – Subscription Form Plugin for WordPress | 34 | 131 | 220 | 400 | Non-prefixed global variable | ||
| #1981 | WP Twitter Feeds | 34 | 202 | 82 | 2k+ | Output is not escaped | ||
| #1982 | Vertical Image Slider | 34 | 264 | 138 | 1k+ | Output is not escaped | ||
| #1983 | Wp Favs – Plugin Manager | 34 | 238 | 153 | 3k+ | Text Domain Mismatch | ||
| #1984 | WPLMS MyCred AddOn | 34 | 383 | 73 | 800 | Text Domain Mismatch | ||
| #1985 | Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades | 34 | 571 | 195 | 100k+ | Output is not escaped | ||
| #1986 | Zero Spam for WordPress | 34 | 79 | 393 | 20k+ | Non-prefixed global variable | ||
| #1987 | zipMoney(Zip Co) Payments Plugin for WooCommerce | 34 | 147 | 70 | 2k+ | Text Domain Mismatch | ||
| #1988 | Abandoned Checkout Recovery & Order Notifications for WooCommerce | 35 | 108 | 77 | 800 | Text Domain Mismatch | ||
| #1989 | Advanced Custom Fields: Image Aspect Ratio Crop Field | 35 | 70 | 37 | 20k+ | Text Domain Mismatch | ||
| #1990 | Add to Calendar Button | 35 | 31 | 9 | 3k+ | Output is not escaped | ||
| #1991 | Admin Color Schemer | 35 | 166 | 20 | 1k+ | Exception output is not escaped | ||
| #1992 | Advanced Permalinks | 35 | 94 | 76 | 400 | wp function not compatible with requires wp | ||
| #1993 | Advanced Reporting for Woocommerce | 35 | 296 | 101 | 400 | Output is not escaped | ||
| #1994 | AfterSalesPro Plugin | 35 | 24 | 111 | 400 | Nonce verification recommended | ||
| #1995 | Akismet Anti-spam: Spam Protection | 35 | 33 | 99 | 5m+ | Non-prefixed global variable | ||
| #1996 | Amministrazione Trasparente | 35 | 80 | 46 | 1k+ | Output is not escaped | ||
| #1997 | AnsPress – Question and answer | 35 | 22 | 778 | 3k+ | Non-prefixed function | ||
| #1998 | Antideo Email Validator | 35 | 38 | 98 | 800 | Missing nonce verification | ||
| #1999 | Tuskcode Map Pro for Bing Maps | 35 | 59 | 359 | 600 | Direct Query | ||
| #2000 | AppMySite – WordPress & WooCommerce Mobile App Builder (No-Code Android & iOS App Maker) | 35 | 165 | 37 | 7k+ | Missing Arg Domain |