WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2501 | WP Responsive Menu | 36 | 295 | 139 | 30k+ | Text Domain Mismatch | ||
| #2502 | WP Hardening (discontinued) | 36 | 230 | 85 | 10k+ | Text Domain Mismatch | ||
| #2503 | WP Socializer – Simple & Easy Social Media Share Icons | 36 | 214 | 51 | 10k+ | Output is not escaped | ||
| #2504 | WP Sort Order | 36 | 134 | 211 | 6k+ | Direct Query | ||
| #2505 | WP Stripe Checkout | 36 | 198 | 118 | 1k+ | Unsafe printing function | ||
| #2506 | WP Super Edit | 36 | 35 | 185 | 2k+ | Nonce verification recommended | ||
| #2507 | Yandex.Metrica | 36 | 76 | 30 | 60k+ | Output is not escaped | ||
| #2508 | WPAvatar | 36 | 425 | 45 | 700 | Unsafe printing function | ||
| #2509 | WP fail2ban Blocklist | 36 | 61 | 63 | 3k+ | SQL query is not prepared | ||
| #2510 | wpShopGermany IT-RECHT KANZLEI | 36 | 37 | 47 | 500 | Input is not sanitized | ||
| #2511 | YayExtra – WooCommerce Extra Product Options | 36 | 11 | 472 | 1k+ | Non-prefixed global variable | ||
| #2512 | Visual CSS Style Editor | 36 | 283 | 233 | 40k+ | Output is not escaped | ||
| #2513 | Custom Product Tabs for WooCommerce | 36 | 87 | 81 | 80k+ | Output is not escaped | ||
| #2514 | 360 Javascript Viewer | 37 | 144 | 22 | 1k+ | Output is not escaped | ||
| #2515 | Redirectioner | 37 | 234 | 410 | 1k+ | Output is not escaped | ||
| #2516 | ACF: TablePress | 37 | 160 | 45 | 1k+ | Text Domain Mismatch | ||
| #2517 | Adapta RGPD | 37 | 349 | 72 | 40k+ | Text Domain Mismatch | ||
| #2518 | Adaptive Images for WordPress | 37 | 51 | 75 | 3k+ | Output is not escaped | ||
| #2519 | Add From Server | 37 | 52 | 20 | 60k+ | Output is not escaped | ||
| #2520 | AddToAny Share Buttons | 37 | 123 | 164 | 300k+ | Unsafe printing function | ||
| #2521 | Add to Cart Redirect for WooCommerce | 37 | 215 | 141 | 8k+ | Text Domain Mismatch | ||
| #2522 | Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs | 37 | 39 | 36 | 10k+ | Missing direct file access protection | ||
| #2523 | PiWeb Advanced Flat rate / Conditional shipping for WooCommerce | 37 | 84 | 192 | 2k+ | wp function not compatible with requires wp | ||
| #2524 | Agreeable | 37 | 40 | 67 | 800 | Unsafe printing function | ||
| #2525 | AJAX Hits Counter + Popular Posts Widget | 37 | 247 | 44 | 900 | Output is not escaped | ||
| #2526 | Analytics Spam Blocker | 37 | 76 | 22 | 800 | Unsafe printing function | ||
| #2527 | Antom Payments | 37 | 62 | 73 | 800 | badly named files | ||
| #2528 | All-in-one Chat Button by anychat.one | 37 | 119 | 69 | 900 | Text Domain Mismatch | ||
| #2529 | Anything Popup | 37 | 164 | 185 | 2k+ | Non-prefixed global variable | ||
| #2530 | Apaczka: integracja z WooCommerce | 37 | 8 | 316 | 3k+ | Non-prefixed global variable | ||
| #2531 | Async JavaScript | 37 | 357 | 79 | 70k+ | Unsafe printing function | ||
| #2532 | Login by Auth0 | 37 | 307 | 82 | 10k+ | Text Domain Mismatch | ||
| #2533 | Random Posts and Pages Widget | 37 | 322 | 15 | 1k+ | Output is not escaped | ||
| #2534 | AZAN Plugin | 37 | 44 | 30 | 500 | Output is not escaped | ||
| #2535 | Banhammer – Monitor Site Traffic, Block Bad Users and Bots | 37 | 104 | 174 | 1k+ | Output is not escaped | ||
| #2536 | Custom Thank You Page Customize For WooCommerce by Binary Carpenter | 37 | 45 | 80 | 2k+ | error log error log | ||
| #2537 | Bellows Accordion Menu | 37 | 160 | 28 | 10k+ | Text Domain Mismatch | ||
| #2538 | Better Click To Share – Shareable Quote Boxes for X (Twitter) | 37 | 170 | 59 | 6k+ | Unsafe printing function | ||
| #2539 | Blog News Addons For Elementor (News, Magazine and Blog Addons) | 37 | 23 | 296 | 400 | Non-prefixed global variable | ||
| #2540 | Customize WordPress Emails and Alerts – Better Notifications for WP | 37 | 64 | 47 | 30k+ | Missing Arg Domain | ||
| #2541 | Booster Extension | 37 | 28 | 289 | 7k+ | Non-prefixed global variable | ||
| #2542 | Britetechs Companion | 37 | 966 | 613 | 2k+ | Text Domain Mismatch | ||
| #2543 | bunny.net – WordPress CDN Plugin | 37 | 165 | 159 | 10k+ | Output is not escaped | ||
| #2544 | Contact Zalo Report SW | 37 | 44 | 39 | 900 | Missing Arg Domain | ||
| #2545 | Delivery Date Time & Pickup for WooCommerce | 37 | 148 | 216 | 400 | Output is not escaped | ||
| #2546 | Carousel Upsells and Related Product for Woocommerce | 37 | 173 | 35 | 1k+ | Output is not escaped | ||
| #2547 | Catalog Booster & Product Catalog Mode for WooCommerce | 37 | 106 | 168 | 1k+ | Non-prefixed function | ||
| #2548 | Checkout for PayPal | 37 | 134 | 67 | 600 | Unsafe printing function | ||
| #2549 | Clearpay Gateway for WooCommerce | 37 | 185 | 63 | 1k+ | Text Domain Mismatch | ||
| #2550 | ClickCease Click Fraud Protection | 37 | 30 | 58 | 10k+ | Non-prefixed class |