WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2001 | Aquila Admin Theme | 35 | 151 | 329 | 3k+ | Non-prefixed global variable | ||
| #2002 | Author Box WP Lens | 35 | 169 | 49 | 900 | Unsafe printing function | ||
| #2003 | Automatic Internal Links for SEO by Pagup | 35 | 30 | 166 | 1k+ | error log error log | ||
| #2004 | Awin – Advertiser Tracking for WooCommerce | 35 | 46 | 39 | 1k+ | Non Singular String Literal Domain | ||
| #2005 | BackWPup – WordPress Backup & Restore Plugin | 35 | 11 | 779 | 500k+ | Non-prefixed global variable | ||
| #2006 | Basic Google Maps Placemarks | 35 | 189 | 80 | 3k+ | Output is not escaped | ||
| #2007 | bbPress Notify (No-Spam) | 35 | 62 | 66 | 2k+ | wp function not compatible with requires wp | ||
| #2008 | Before After Image Comparison Slider for WPBakery Page Builder | 35 | 58 | 59 | 1k+ | Output is not escaped | ||
| #2009 | belingoGeo | 35 | 136 | 133 | 1k+ | Output is not escaped | ||
| #2010 | Better Recent Comments | 35 | 127 | 29 | 2k+ | Text Domain Mismatch | ||
| #2011 | Bicycles by falbar | 35 | 426 | 65 | 600 | Output is not escaped | ||
| #2012 | Lord of the Files: Enhanced Upload Security | 35 | 62 | 42 | 1k+ | Non-prefixed global variable | ||
| #2013 | Block Manager | 35 | 33 | 26 | 4k+ | Text Domain Mismatch | ||
| #2014 | Gutenberg Block Editor Toolkit – EditorsKit | 35 | 61 | 25 | 20k+ | Text Domain Mismatch | ||
| #2015 | Block User Account | 35 | 280 | 143 | 1k+ | Unsafe printing function | ||
| #2016 | Blogsqode – Blog Layouts and News Post Design | 35 | 430 | 63 | 400 | Text Domain Mismatch | ||
| #2017 | BlossomThemes Toolkit | 35 | 347 | 52 | 30k+ | Output is not escaped | ||
| #2018 | Tooltipy (tooltips for WP) | 35 | 370 | 125 | 1k+ | Text Domain Mismatch | ||
| #2019 | Bootstrap for Contact Form 7 | 35 | 35 | 73 | 10k+ | Nonce verification recommended | ||
| #2020 | BORICA Payments by BORICA AD | 35 | 537 | 196 | 500 | Text Domain Mismatch | ||
| #2021 | BuddyPress Activity Filter | 35 | 25 | 66 | 400 | Nonce verification recommended | ||
| #2022 | Wbcom Designs – BuddyPress Activity Social Share | 35 | 293 | 27 | 400 | Text Domain Mismatch | ||
| #2023 | Custom Order Status Manager for WooCommerce | 35 | 630 | 67 | 30k+ | Text Domain Mismatch | ||
| #2024 | Registration Options for BuddyPress | 35 | 47 | 132 | 1k+ | Non-prefixed function | ||
| #2025 | BSK Forms Blacklist | 35 | 831 | 550 | 1k+ | Output is not escaped | ||
| #2026 | BTCPay Server – Accept Bitcoin payments in WooCommerce | 35 | 48 | 86 | 1k+ | Missing nonce verification | ||
| #2027 | BugHerd | 35 | 8 | 2 | 3k+ | Output is not escaped | ||
| #2028 | Business Hours Indicator | 35 | 139 | 106 | 8k+ | Alternative PHP tag found | ||
| #2029 | Buying Buddy IDX CRM – Real Estate MLS Plugin | 35 | 71 | 240 | 500 | Request data is not unslashed | ||
| #2030 | Cache Enabler | 35 | 44 | 75 | 90k+ | Input is not sanitized | ||
| #2031 | CatFolders – WordPress Media Library Folders & Categories | 35 | 35 | 76 | 6k+ | Direct Query | ||
| #2032 | Central Connect | 35 | 7 | 21 | 400 | Nonce verification recommended | ||
| #2033 | CF7 Spreadsheets | 35 | 100 | 62 | 400 | Text Domain Mismatch | ||
| #2034 | CF7 Submissions – Securely Store Contact Form 7 Data and Attachments, Reply to the Sender and more | 35 | 16 | 119 | 2k+ | Non-prefixed global variable | ||
| #2035 | CF7 Views – Complete Entry Management for Contact Form 7 | 35 | 172 | 181 | 1k+ | Output is not escaped | ||
| #2036 | Change Quantity on Checkout for WooCommerce | 35 | 270 | 32 | 4k+ | wp function not compatible with requires wp | ||
| #2037 | ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form | 35 | 31 | 188 | 1k+ | Non-prefixed global variable | ||
| #2038 | CiviCRM Profile Sync | 35 | 31 | 140 | 600 | Non-prefixed global variable | ||
| #2039 | Cloudflare | 35 | 28 | 85 | 200k+ | Non-prefixed namespace | ||
| #2040 | Flexible SSL for CloudFlare | 35 | 9 | 6 | 100k+ | Output is not escaped | ||
| #2041 | CM E-Mail Blacklist – Simple email filtering for safer registration | 35 | 269 | 205 | 800 | Output is not escaped | ||
| #2042 | CompressX — AVIF & WebP Converter, Media Replacement | 35 | 26 | 423 | 40k+ | Missing nonce verification | ||
| #2043 | Conditional Menus | 35 | 92 | 28 | 60k+ | Text Domain Mismatch | ||
| #2044 | Constant Contact Forms | 35 | 41 | 89 | 20k+ | Missing nonce verification | ||
| #2045 | EasyTest – Simplify A/B Testing | 35 | 9 | 76 | 10k+ | Non-prefixed global variable | ||
| #2046 | Cookies and Content Security Policy | 35 | 261 | 412 | 10k+ | Output is not escaped | ||
| #2047 | Core Framework | 35 | 70 | 62 | 10k+ | Text Domain Mismatch | ||
| #2048 | Counter live visitors for WooCommerce | 35 | 189 | 39 | 7k+ | Short PHP open tag found | ||
| #2049 | Coupon X – Discount Popups, Promo Codes Pop Ups for WooCommerce & Announcement Popups | 35 | 30 | 168 | 1k+ | Non-prefixed global variable | ||
| #2050 | CrowdSec | 35 | 130 | 119 | 2k+ | Output is not escaped |