WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

  • For admin forms and action links, add and verify a nonce.
  • For AJAX handlers, use `check_ajax_referer()`.
  • For public read-only endpoints, document why a nonce is not required and keep input validation strict.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2001Aquila Admin Theme351513293k+Non-prefixed global variable
#2002Author Box WP Lens3516949900Unsafe printing function
#2003Automatic Internal Links for SEO by Pagup35301661k+error log error log
#2004Awin – Advertiser Tracking for WooCommerce3546391k+Non Singular String Literal Domain
#2005BackWPup – WordPress Backup & Restore Plugin3511779500k+Non-prefixed global variable
#2006Basic Google Maps Placemarks35189803k+Output is not escaped
#2007bbPress Notify (No-Spam)3562662k+wp function not compatible with requires wp
#2008Before After Image Comparison Slider for WPBakery Page Builder3558591k+Output is not escaped
#2009belingoGeo351361331k+Output is not escaped
#2010Better Recent Comments35127292k+Text Domain Mismatch
#2011Bicycles by falbar3542665600Output is not escaped
#2012Lord of the Files: Enhanced Upload Security3562421k+Non-prefixed global variable
#2013Block Manager3533264k+Text Domain Mismatch
#2014Gutenberg Block Editor Toolkit – EditorsKit35612520k+Text Domain Mismatch
#2015Block User Account352801431k+Unsafe printing function
#2016Blogsqode – Blog Layouts and News Post Design3543063400Text Domain Mismatch
#2017BlossomThemes Toolkit353475230k+Output is not escaped
#2018Tooltipy (tooltips for WP)353701251k+Text Domain Mismatch
#2019Bootstrap for Contact Form 735357310k+Nonce verification recommended
#2020BORICA Payments by BORICA AD35537196500Text Domain Mismatch
#2021BuddyPress Activity Filter352566400Nonce verification recommended
#2022Wbcom Designs – BuddyPress Activity Social Share3529327400Text Domain Mismatch
#2023Custom Order Status Manager for WooCommerce356306730k+Text Domain Mismatch
#2024Registration Options for BuddyPress35471321k+Non-prefixed function
#2025BSK Forms Blacklist358315501k+Output is not escaped
#2026BTCPay Server – Accept Bitcoin payments in WooCommerce3548861k+Missing nonce verification
#2027BugHerd35823k+Output is not escaped
#2028Business Hours Indicator351391068k+Alternative PHP tag found
#2029Buying Buddy IDX CRM – Real Estate MLS Plugin3571240500Request data is not unslashed
#2030Cache Enabler35447590k+Input is not sanitized
#2031CatFolders – WordPress Media Library Folders & Categories3535766k+Direct Query
#2032Central Connect35721400Nonce verification recommended
#2033CF7 Spreadsheets3510062400Text Domain Mismatch
#2034CF7 Submissions – Securely Store Contact Form 7 Data and Attachments, Reply to the Sender and more35161192k+Non-prefixed global variable
#2035CF7 Views – Complete Entry Management for Contact Form 7351721811k+Output is not escaped
#2036Change Quantity on Checkout for WooCommerce35270324k+wp function not compatible with requires wp
#2037ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form35311881k+Non-prefixed global variable
#2038CiviCRM Profile Sync3531140600Non-prefixed global variable
#2039Cloudflare352885200k+Non-prefixed namespace
#2040Flexible SSL for CloudFlare3596100k+Output is not escaped
#2041CM E-Mail Blacklist – Simple email filtering for safer registration35269205800Output is not escaped
#2042CompressX — AVIF & WebP Converter, Media Replacement352642340k+Missing nonce verification
#2043Conditional Menus35922860k+Text Domain Mismatch
#2044Constant Contact Forms35418920k+Missing nonce verification
#2045EasyTest – Simplify A/B Testing3597610k+Non-prefixed global variable
#2046Cookies and Content Security Policy3526141210k+Output is not escaped
#2047Core Framework35706210k+Text Domain Mismatch
#2048Counter live visitors for WooCommerce35189397k+Short PHP open tag found
#2049Coupon X – Discount Popups, Promo Codes Pop Ups for WooCommerce & Announcement Popups35301681k+Non-prefixed global variable
#2050CrowdSec351301192k+Output is not escaped