WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2051 | Cryptex | E-Mail Address Protection | 35 | 62 | 10 | 900 | Output is not escaped | ||
| #2052 | CubeWP Framework | 35 | 114 | 71 | 4k+ | wp function not compatible with requires wp | ||
| #2053 | Cue by AudioTheme.com | 35 | 28 | 150 | 6k+ | Non-prefixed hook name | ||
| #2054 | Currency Switcher for WooCommerce | 35 | 166 | 61 | 800 | Text Domain Mismatch | ||
| #2055 | Custom CSS and JavaScript | 35 | 38 | 91 | 10k+ | Input is not sanitized | ||
| #2056 | Custom JavaScript Editor | 35 | 8 | 23 | 400 | Missing Version | ||
| #2057 | Custom Order Numbers for WooCommerce | 35 | 6 | 32 | 20k+ | Non-prefixed hook name | ||
| #2058 | Custom Post Type Maker | 35 | 240 | 86 | 6k+ | Unsafe printing function | ||
| #2059 | Dadevarzan WordPress Common | 35 | 56 | 71 | 700 | Text Domain Mismatch | ||
| #2060 | DarkLooks – Dark Mode Switcher For WordPress | 35 | 195 | 21 | 900 | Text Domain Mismatch | ||
| #2061 | Datafeedr Product Sets | 35 | 602 | 206 | 5k+ | Output is not escaped | ||
| #2062 | Deposits & Partial Payments for WooCommerce | 35 | 174 | 144 | 5k+ | Text Domain Mismatch | ||
| #2063 | Dintero Checkout for WooCommerce Payment Methods | 35 | 58 | 48 | 600 | Text Domain Mismatch | ||
| #2064 | PiWeb Disable payment method / Partial payment for WooCommerce | 35 | 55 | 221 | 4k+ | Non-prefixed class | ||
| #2065 | Disable and Remove Google Fonts | GDPR & DSGVO friendly | 35 | 21 | 11 | 100k+ | Missing Translators Comment | ||
| #2066 | Disable XML-RPC-API | 35 | 444 | 52 | 100k+ | Text Domain Mismatch | ||
| #2067 | DOOFINDER Search and Discovery for WP & WooCommerce | 35 | 151 | 120 | 2k+ | Text Domain Mismatch | ||
| #2068 | Easy Dash for LearnDash | 35 | 623 | 88 | 700 | Text Domain Mismatch | ||
| #2069 | Easy Noindex And Nofollow | 35 | 55 | 18 | 400 | Output is not escaped | ||
| #2070 | Easy Panorama | 35 | 120 | 10 | 500 | Non Singular String Literal Domain | ||
| #2071 | Easy Post Types and Fields | 35 | 138 | 135 | 1k+ | Text Domain Mismatch | ||
| #2072 | Product Bundle Builder for WooCommerce | 35 | 152 | 138 | 6k+ | Text Domain Mismatch | ||
| #2073 | Easy Social Icons | 35 | 182 | 158 | 20k+ | Output is not escaped | ||
| #2074 | Easy SwipeBox | 35 | 157 | 10 | 2k+ | Non Singular String Literal Domain | ||
| #2075 | Editorial Calendar | 35 | 127 | 160 | 20k+ | Output is not escaped | ||
| #2076 | Elementor Website Builder – more than just a page builder | 35 | 46 | 428 | 10m+ | Non-prefixed global variable | ||
| #2077 | Email Subscription Popup — Newsletter & GDPR Consent | 35 | 683 | 193 | 1k+ | Output is not escaped | ||
| #2078 | Email Validator for Contact Form 7 | 35 | 111 | 74 | 500 | SQL query is not prepared | ||
| #2079 | Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more | 35 | 102 | 92 | 400 | Non-prefixed global variable | ||
| #2080 | Enlighter – Customizable Syntax Highlighter | 35 | 50 | 10 | 10k+ | Output is not escaped | ||
| #2081 | EnvíaloSimple: Email Marketing y Newsletters | 35 | 147 | 250 | 2k+ | Nonce verification recommended | ||
| #2082 | Equivalent Mobile Redirect | 35 | 29 | 17 | 2k+ | Text Domain Mismatch | ||
| #2083 | Connect WooCommerce to ActiveCampaign by EqualServing | 35 | 135 | 89 | 1k+ | Text Domain Mismatch | ||
| #2084 | Ever Compare – Products Compare Plugin for WooCommerce | 35 | 2 | 23 | 600 | Non-prefixed global variable | ||
| #2085 | AI Popup Builder & Popup Maker by OptiMonk | 35 | 81 | 65 | 4k+ | Text Domain Mismatch | ||
| #2086 | Expire User Passwords | 35 | 3 | 15 | 3k+ | Nonce verification recommended | ||
| #2087 | Export Featured Images | 35 | 176 | 67 | 1k+ | Output is not escaped | ||
| #2088 | External Links Overview | 35 | 57 | 200 | 800 | Non-prefixed global variable | ||
| #2089 | F4 Shipping Phone and E-Mail for WooCommerce | 35 | 21 | 30 | 800 | Non-prefixed hook name | ||
| #2090 | WP2Social Auto Publish | 35 | 643 | 215 | 9k+ | Unsafe printing function | ||
| #2091 | Pixel Cat – Conversion Pixel Manager | 35 | 253 | 215 | 40k+ | Output is not escaped | ||
| #2092 | Instant Indexing for Google | 35 | 13 | 62 | 200k+ | Non-prefixed global variable | ||
| #2093 | Reviews Widgets for Google, TripAdvisor, Yelp & Recommendations | 35 | 255 | 225 | 10k+ | Output is not escaped | ||
| #2094 | Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager | 35 | 64 | 64 | 80k+ | Non-prefixed global variable | ||
| #2095 | Flexible PDF Coupons – Gift Cards & Vouchers for WooCommerce | 35 | 8 | 20 | 2k+ | Non-prefixed global variable | ||
| #2096 | Flexible PDF Invoices for WooCommerce & WordPress | 35 | 15 | 55 | 6k+ | Non-prefixed global variable | ||
| #2097 | Flexible Subscriptions | 35 | 46 | 249 | 1k+ | Non-prefixed global variable | ||
| #2098 | Flying Analytics: Self-Host Google Analytics v4 with Speed Optimization | 35 | 17 | 13 | 4k+ | Missing direct file access protection | ||
| #2099 | Events Calendar by FooEvents | 35 | 57 | 59 | 4k+ | Non-prefixed global variable | ||
| #2100 | FooGallery Migrate | 35 | 41 | 232 | 1k+ | Non-prefixed global variable |