WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2301 | WP Cassify | 35 | 106 | 143 | 700 | Missing nonce verification | ||
| #2302 | Category Dropdown by GCS Design | 35 | 93 | 52 | 1k+ | Output is not escaped | ||
| #2303 | WP-Cron Status Checker | 35 | 240 | 111 | 5k+ | Text Domain Mismatch | ||
| #2304 | Custom Body Class | 35 | 39 | 101 | 10k+ | Non-prefixed global variable | ||
| #2305 | WP Dark Mode – Improve Accessibility with AI Powered Dark Theme | 35 | 20 | 160 | 20k+ | Non-prefixed global variable | ||
| #2306 | WP Datepicker | 35 | 225 | 181 | 7k+ | Output is not escaped | ||
| #2307 | Database Backup for WordPress | 35 | 128 | 88 | 70k+ | Output is not escaped | ||
| #2308 | WP Duplicate Page | 35 | 44 | 50 | 60k+ | Text Domain Mismatch | ||
| #2309 | WP Geo | 35 | 180 | 84 | 900 | Output is not escaped | ||
| #2310 | WP GPX Maps | 35 | 27 | 100 | 4k+ | Non-prefixed global variable | ||
| #2311 | Mail logging – WP Mail Catcher | 35 | 232 | 157 | 20k+ | Text Domain Mismatch | ||
| #2312 | WP Mailto Links – Protect Email Addresses | 35 | 95 | 69 | 8k+ | Output is not escaped | ||
| #2313 | WP Open Street Map | 35 | 59 | 111 | 3k+ | Input is not validated | ||
| #2314 | WP-PageNavi | 35 | 84 | 95 | 500k+ | Non Singular String Literal Domain | ||
| #2315 | WP-Paginate | 35 | 37 | 55 | 20k+ | Input is not validated | ||
| #2316 | WP-Persian | 35 | 144 | 37 | 7k+ | Unsafe printing function | ||
| #2317 | WP-PostViews | 35 | 132 | 64 | 100k+ | Unsafe printing function | ||
| #2318 | WP All Import – Property Import for WP Residence | 35 | 41 | 32 | 700 | Output is not escaped | ||
| #2319 | video carousel slider with lightbox | 35 | 350 | 136 | 1k+ | Output is not escaped | ||
| #2320 | Subresource Integrity (SRI) Manager | 35 | 26 | 94 | 900 | Request data is not unslashed | ||
| #2321 | WP-ViperGB | 35 | 127 | 68 | 400 | Output is not escaped | ||
| #2322 | Integration for WooCommerce and QuickBooks | 35 | 263 | 125 | 1k+ | Output is not escaped | ||
| #2323 | WPC Badge Management for WooCommerce | 35 | 13 | 81 | 2k+ | Missing nonce verification | ||
| #2324 | WPCore Plugin Manager | 35 | 118 | 38 | 9k+ | Text Domain Mismatch | ||
| #2325 | WPFront User Role Editor | 35 | 333 | 578 | 30k+ | Output is not escaped | ||
| #2326 | wpLingua – Automatic translation – Translate and make website multilingual | 35 | 79 | 167 | 2k+ | Nonce verification recommended | ||
| #2327 | WPZOOM Addons for Elementor – Starter Templates & Widgets | 35 | 160 | 130 | 20k+ | Output is not escaped | ||
| #2328 | WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress | 35 | 74 | 109 | 10k+ | Nonce verification recommended | ||
| #2329 | WPZOOM Portfolio Lite – Filterable Portfolio Plugin | 35 | 42 | 92 | 20k+ | Non-prefixed global variable | ||
| #2330 | WSB HUB3 | 35 | 36 | 109 | 1k+ | Missing nonce verification | ||
| #2331 | XServer Migrator | 35 | 39 | 53 | 10k+ | Interpolated SQL is not prepared | ||
| #2332 | YML for Yandex Market | 35 | 18 | 288 | 10k+ | Non-prefixed global variable | ||
| #2333 | Year Make Model Search for WooCommerce | 35 | 188 | 162 | 1k+ | Output is not escaped | ||
| #2334 | Yoco Payments | 35 | 2 | 32 | 10k+ | Nonce verification recommended | ||
| #2335 | Yotpo: Product & Photo Reviews for WooCommerce | 35 | 24 | 189 | 2k+ | Non-prefixed function | ||
| #2336 | ZI Hide Featured Image | 35 | 8 | 3 | 700 | Hidden files included | ||
| #2337 | Ziina | 35 | 4 | 25 | 2k+ | Input is not sanitized | ||
| #2338 | 2C2P Redirect API for WooCommerce | 36 | 136 | 62 | 900 | wp function not compatible with requires wp | ||
| #2339 | 3B Meteo | 36 | 50 | 76 | 1k+ | Output is not escaped | ||
| #2340 | Advanced Export for WP & WPMU | 36 | 124 | 55 | 700 | Output is not escaped | ||
| #2341 | SOOZ – AI for SEO – Bulk Generate Focus Keyphrases, Metadata, Alt Text (SEO Autopilot) | 36 | 4 | 342 | 2k+ | Nonce verification recommended | ||
| #2342 | Asesor de Cookies RGPD para normativa europea | 36 | 94 | 91 | 20k+ | wp function not compatible with requires wp | ||
| #2343 | Awesome GDPR Compliant Cookie Consent and Notice | 36 | 653 | 201 | 500 | Text Domain Mismatch | ||
| #2344 | Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder | 36 | 3 | 322 | 10k+ | Nonce verification recommended | ||
| #2345 | Black Widgets For Elementor | 36 | 2,608 | 19 | 800 | Text Domain Mismatch | ||
| #2346 | Blaze Demo Importer | 36 | 101 | 94 | 8k+ | Output is not escaped | ||
| #2347 | BlockStrap Page Builder – Bootstrap Blocks | 36 | 81 | 89 | 2k+ | Missing direct file access protection | ||
| #2348 | Blog, Posts and Category Filter for Elementor | 36 | 159 | 55 | 1k+ | Text Domain Mismatch | ||
| #2349 | BP Disable Activation Reloaded | 36 | 147 | 28 | 800 | Output is not escaped | ||
| #2350 | BP Group Documents | 36 | 27 | 195 | 600 | Non-prefixed global variable |