WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2401 | FreePay for WooCommerce | 36 | 114 | 102 | 400 | Output is not escaped | ||
| #2402 | Friendly Functions for Welcart | 36 | 311 | 83 | 1k+ | Non Singular String Literal Domain | ||
| #2403 | GetPaid > Wallet | 36 | 174 | 227 | 700 | Text Domain Mismatch | ||
| #2404 | Google Webfont Optimizer | 36 | 45 | 49 | 700 | Output is not escaped | ||
| #2405 | Gutena Kit – Gutenberg Blocks and Templates | 36 | 39 | 87 | 1k+ | Nonce verification recommended | ||
| #2406 | Header Footer Code Manager | 36 | 81 | 180 | 600k+ | Non-prefixed global variable | ||
| #2407 | Optimize Social Share | 36 | 203 | 61 | 3k+ | Unsafe printing function | ||
| #2408 | HTML Forms – Simple WordPress Forms Plugin | 36 | 231 | 166 | 10k+ | Output is not escaped | ||
| #2409 | HTML5 Maps | 36 | 194 | 160 | 5k+ | Output is not escaped | ||
| #2410 | HTTP Requests Manager | 36 | 98 | 90 | 1k+ | Output is not escaped | ||
| #2411 | Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS | 36 | 68 | 33 | 6k+ | Output is not escaped | ||
| #2412 | If-So Geolocation | 36 | 50 | 57 | 1k+ | Non-prefixed global variable | ||
| #2413 | IntelliWidget Per Page Custom Menus and Dynamic Content | 36 | 586 | 162 | 600 | Output is not escaped | ||
| #2414 | Italy Cookie Choices (for EU Cookie Law & Cookie Notice) | 36 | 115 | 77 | 10k+ | Unsafe printing function | ||
| #2415 | Just TinyMCE Custom Styles | 36 | 112 | 28 | 1k+ | Missing Arg Domain | ||
| #2416 | Legal Text Connector of the IT-Recht Kanzlei | 36 | 45 | 46 | 10k+ | Exception output is not escaped | ||
| #2417 | Libro de Reclamaciones y Quejas | 36 | 266 | 124 | 4k+ | Text Domain Mismatch | ||
| #2418 | Linkable Title Html and Php Widget | 36 | 108 | 31 | 600 | Output is not escaped | ||
| #2419 | Login as User | 36 | 101 | 64 | 30k+ | Output is not escaped | ||
| #2420 | LocalWeb All In One | 36 | 34 | 297 | 5k+ | Non-prefixed global variable | ||
| #2421 | MailMunch – Grow your Email List | 36 | 102 | 49 | 6k+ | Output is not escaped | ||
| #2422 | Manage Notification E-mails | 36 | 129 | 98 | 100k+ | Non-prefixed function | ||
| #2423 | Materialis Companion | 36 | 129 | 67 | 6k+ | Unsafe printing function | ||
| #2424 | Media Deduper | 36 | 60 | 99 | 9k+ | Missing Arg Domain | ||
| #2425 | Microsoft Clarity | 36 | 48 | 163 | 200k+ | Nonce verification recommended | ||
| #2426 | Mobile Menu Builder for WordPress | 36 | 81 | 33 | 600 | Output is not escaped | ||
| #2427 | 코드엠샵 마이사이트 – MSHOP MY SITE | 36 | 58 | 55 | 800 | Output is not escaped | ||
| #2428 | Multiple Sidebars | 36 | 109 | 75 | 600 | Non Singular String Literal Domain | ||
| #2429 | WP Sticky Sidebar – Floating Sidebar On Scroll for Any Theme | 36 | 93 | 84 | 10k+ | Non-prefixed global variable | ||
| #2430 | News Manager | 36 | 134 | 57 | 600 | Output is not escaped | ||
| #2431 | News Ticker for Elementor | 36 | 76 | 57 | 2k+ | Text Domain Mismatch | ||
| #2432 | NextGEN Custom Fields | 36 | 215 | 131 | 1k+ | SQL query is not prepared | ||
| #2433 | MailerLite – Signup forms (official) | 36 | 430 | 158 | 100k+ | Output is not escaped | ||
| #2434 | We’re Open! | 36 | 273 | 187 | 5k+ | Unsafe printing function | ||
| #2435 | Order Status History for WooCommerce | 36 | 210 | 171 | 1k+ | Output is not escaped | ||
| #2436 | Ovation Elements | 36 | 23 | 399 | 10k+ | Non-prefixed global variable | ||
| #2437 | Ozh' Admin Drop Down Menu | 36 | 125 | 43 | 3k+ | Output is not escaped | ||
| #2438 | PayPal Currency Converter BASIC for WooCommerce | 36 | 348 | 20 | 400 | Output is not escaped | ||
| #2439 | PayTR Sanal POS WooCommerce – iFrame API | 36 | 117 | 54 | 10k+ | Output is not escaped | ||
| #2440 | PDF Forms Filler for CF7 | 36 | 185 | 79 | 3k+ | Text Domain Mismatch | ||
| #2441 | PDF Forms Filler for WPForms | 36 | 161 | 54 | 600 | Text Domain Mismatch | ||
| #2442 | Photonic Gallery & Lightbox for Flickr, SmugMug & Others | 36 | 180 | 117 | 10k+ | Missing Translators Comment | ||
| #2443 | Photoswipe Masonry Gallery | 36 | 57 | 47 | 6k+ | Non Singular String Literal Text | ||
| #2444 | WowStore – Store Builder & Product Blocks for WooCommerce | 36 | 56 | 437 | 4k+ | Non-prefixed global variable | ||
| #2445 | افزونه رسمی ترب | 36 | 42 | 86 | 30k+ | Exception output is not escaped | ||
| #2446 | Qubely – Advanced Gutenberg Blocks | 36 | 39 | 78 | 8k+ | Request data is not unslashed | ||
| #2447 | Quick 301 Redirects | 36 | 89 | 120 | 5k+ | Non-prefixed global variable | ||
| #2448 | Direct Checkout – Quick View – Buy Now For WooCommerce | 36 | 90 | 112 | 2k+ | Missing nonce verification | ||
| #2449 | Better Find and Replace – AI-Powered Suggestions | 36 | 67 | 129 | 40k+ | Missing direct file access protection | ||
| #2450 | Optimize Database after Deleting Revisions | 36 | 644 | 127 | 60k+ | Output is not escaped |