WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2101 | Friendly Captcha for WordPress | 35 | 192 | 62 | 9k+ | Output is not escaped | ||
| #2102 | Frontend Reset Password | 35 | 83 | 128 | 10k+ | Text Domain Mismatch | ||
| #2103 | Full Width Banner Slider Wp | 35 | 239 | 140 | 2k+ | Output is not escaped | ||
| #2104 | g-FFL Cockpit | 35 | 18 | 224 | 500 | Direct Query | ||
| #2105 | GA4WP – Analytics Dashboard for the Website | 35 | 434 | 157 | 2k+ | Text Domain Mismatch | ||
| #2106 | Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery | 35 | 50 | 199 | 10k+ | Non-prefixed global variable | ||
| #2107 | GDPR Compliance & Cookie Consent | 35 | 251 | 61 | 4k+ | Output is not escaped | ||
| #2108 | Genesis Simple Sidebars | 35 | 9 | 51 | 10k+ | Nonce verification recommended | ||
| #2109 | GeoTargeting Lite – WordPress Geolocation | 35 | 66 | 79 | 1k+ | Output is not escaped | ||
| #2110 | Get a Newsletter | 35 | 138 | 144 | 400 | Output is not escaped | ||
| #2111 | Give – Divi Donation Modules | 35 | 286 | 12 | 600 | Text Domain Mismatch | ||
| #2112 | Glossary | 35 | 169 | 93 | 2k+ | Non Singular String Literal Domain | ||
| #2113 | Reviews Block for Google | 35 | 244 | 35 | 1k+ | Missing Arg Domain | ||
| #2114 | Gumlet – Image optimization with Resize, Compression, Lazy load, Caching & CDN delivery | 35 | 53 | 45 | 500 | parse url parse url | ||
| #2115 | Health Check & Troubleshooting | 35 | 264 | 238 | 300k+ | Missing Arg Domain | ||
| #2116 | Heartbeat Control | 35 | 27 | 18 | 80k+ | Missing Arg Domain | ||
| #2117 | Social Comments by Heateor | 35 | 285 | 35 | 700 | Unsafe printing function | ||
| #2118 | Help Scout | 35 | 11 | 13 | 400 | Missing direct file access protection | ||
| #2119 | Hippoo Mobile App for WooCommerce | 35 | 5 | 92 | 1k+ | Direct Query | ||
| #2120 | HivePress – Business Directory, Listings & Classified Ads Plugin | 35 | 38 | 180 | 10k+ | Direct Query | ||
| #2121 | HT Form Widget for Elementor and WPForms | 35 | 8 | 9 | 2k+ | Output is not escaped | ||
| #2122 | Iframely – WP media embeds, cards and blocks | 35 | 136 | 43 | 2k+ | Unsafe printing function | ||
| #2123 | Image Slider | 35 | 192 | 95 | 4k+ | Output is not escaped | ||
| #2124 | Image Watermark | 35 | 85 | 181 | 40k+ | Missing nonce verification | ||
| #2125 | Image Widget | 35 | 165 | 31 | 100k+ | Output is not escaped | ||
| #2126 | InPost PL | 35 | 2 | 938 | 10k+ | Non-prefixed global variable | ||
| #2127 | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts | 35 | 64 | 91 | 60k+ | Output is not escaped | ||
| #2128 | Inspiro Starter Sites – 20+ Free Demo Templates for Gutenberg & Elementor | 35 | 6 | 200 | 10k+ | Non-prefixed global variable | ||
| #2129 | Social Feed Gallery | 35 | 104 | 52 | 80k+ | Text Domain Mismatch | ||
| #2130 | Instapage Plugin | 35 | 220 | 45 | 4k+ | Output is not escaped | ||
| #2131 | IntenseDebate Comments | 35 | 203 | 114 | 500 | Output is not escaped | ||
| #2132 | IP Based Login | 35 | 179 | 146 | 600 | Output is not escaped | ||
| #2133 | iPages – FlipBook Image & PDF Viewer | 35 | 467 | 177 | 2k+ | Text Domain Mismatch | ||
| #2134 | Issuu PDF Sync | 35 | 159 | 28 | 900 | Text Domain Mismatch | ||
| #2135 | Japanese font for WordPress(Previously: Japanese Font for TinyMCE) | 35 | 11 | 37 | 10k+ | Non-prefixed global variable | ||
| #2136 | Static Site Exporter | 35 | 54 | 25 | 500 | file system operations mkdir | ||
| #2137 | JetStyleManager for Gutenberg | 35 | 20 | 64 | 20k+ | Nonce verification recommended | ||
| #2138 | Nobs • Share Buttons | 35 | 314 | 85 | 3k+ | Output is not escaped | ||
| #2139 | Kaya QR Code Generator | 35 | 193 | 40 | 20k+ | Non Singular String Literal Domain | ||
| #2140 | Keyring | 35 | 233 | 203 | 1k+ | Output is not escaped | ||
| #2141 | Kiyoh customer review | 35 | 173 | 68 | 500 | Output is not escaped | ||
| #2142 | Kustom Checkout for WooCommerce | 35 | 101 | 505 | 10k+ | Dynamic hook name | ||
| #2143 | Lead Form Builder & Contact Form | 35 | 400 | 345 | 9k+ | Output is not escaped | ||
| #2144 | Topic Progression Using Storyline/Captivate for LearnDash | 35 | 382 | 25 | 400 | Text Domain Mismatch | ||
| #2145 | Lenix scss compiler | 35 | 133 | 34 | 800 | Exception output is not escaped | ||
| #2146 | Less PHP Compiler | 35 | 163 | 47 | 3k+ | Exception output is not escaped | ||
| #2147 | Login Page Styler – Custom WordPress Login Page Customizer & Security | 35 | 125 | 168 | 2k+ | Missing Arg Domain | ||
| #2148 | Mail Queue | 35 | 25 | 103 | 900 | Nonce verification recommended | ||
| #2149 | MainWP Child Reports | 35 | 49 | 116 | 100k+ | Non-prefixed hook name | ||
| #2150 | Marquee image crawler | 35 | 168 | 136 | 700 | Non-prefixed global variable |