WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2701 | Afterpay Gateway for WooCommerce | 38 | 183 | 62 | 10k+ | Text Domain Mismatch | ||
| #2702 | Alphabetic Pagination | 38 | 144 | 117 | 500 | Unsafe printing function | ||
| #2703 | Anant Sites — Elementor & Gutenberg Readymade Template Library Free & Pro Templates | 38 | 20 | 156 | 1k+ | Non-prefixed global variable | ||
| #2704 | Announce from the Dashboard | 38 | 138 | 24 | 7k+ | Non Singular String Literal Domain | ||
| #2705 | Announcement Bar | 38 | 192 | 61 | 3k+ | Non Singular String Literal Domain | ||
| #2706 | Any Mobile Theme Switcher | 38 | 69 | 59 | 20k+ | Output is not escaped | ||
| #2707 | Aplazame | 38 | 34 | 39 | 500 | Non-prefixed global variable | ||
| #2708 | Activity Log – Monitor & Record User Changes | 38 | 81 | 149 | 200k+ | Nonce verification recommended | ||
| #2709 | Attachments | 38 | 238 | 66 | 8k+ | Unsafe printing function | ||
| #2710 | Audio Story Images | 38 | 46 | 44 | 400 | Output is not escaped | ||
| #2711 | Auto Prune Posts | 38 | 54 | 57 | 1k+ | Output is not escaped | ||
| #2712 | Autologin Links | 38 | 73 | 74 | 8k+ | Output is not escaped | ||
| #2713 | Automatic Post Tagger | 38 | 592 | 307 | 2k+ | Output is not escaped | ||
| #2714 | Beauty Form Styler for Gravity Forms | 38 | 70 | 93 | 600 | Output is not escaped | ||
| #2715 | Before After Image Comparison Slider for Elementor | 38 | 63 | 36 | 10k+ | Text Domain Mismatch | ||
| #2716 | BuddyPress Follow | 38 | 114 | 67 | 1k+ | Text Domain Mismatch | ||
| #2717 | Cache Warmer | 38 | 32 | 219 | 1k+ | Interpolated SQL is not prepared | ||
| #2718 | Category Posts Widget | 38 | 153 | 26 | 40k+ | Output is not escaped | ||
| #2719 | Certificate Verification | 38 | 33 | 40 | 1k+ | Output is not escaped | ||
| #2720 | Database for Contact Form 7 | 38 | 34 | 128 | 7k+ | Missing nonce verification | ||
| #2721 | WPAppsDev – CF7 Form Submission Limit | 38 | 104 | 33 | 1k+ | Text Domain Mismatch | ||
| #2722 | Contact Form 7 – Post Fields | 38 | 167 | 25 | 3k+ | Text Domain Mismatch | ||
| #2723 | Checkout Files Upload for WooCommerce | 38 | 57 | 120 | 7k+ | Input is not sanitized | ||
| #2724 | Classic Editor Plus – WordPress Classic Editor plugin by Felix | 38 | 83 | 42 | 500 | Text Domain Mismatch | ||
| #2725 | Clever Mega Menu for Visual Composer | 38 | 500 | 87 | 1k+ | Output is not escaped | ||
| #2726 | Clever Mega Menu for Elementor | 38 | 835 | 44 | 1k+ | Output is not escaped | ||
| #2727 | Chatbot for WordPress by Collect.chat ⚡️ | 38 | 58 | 36 | 6k+ | Unsafe printing function | ||
| #2728 | Colorlib 404 Customizer | 38 | 65 | 15 | 5k+ | Missing direct file access protection | ||
| #2729 | country-redirect | 38 | 58 | 19 | 400 | Text Domain Mismatch | ||
| #2730 | Crop-Thumbnails | 38 | 33 | 27 | 40k+ | Missing direct file access protection | ||
| #2731 | CRUDLab Disable Comments | 38 | 20 | 54 | 700 | Missing nonce verification | ||
| #2732 | Custom Menu Wizard Widget | 38 | 326 | 30 | 2k+ | Output is not escaped | ||
| #2733 | Customize Posts | 38 | 31 | 77 | 1k+ | Non-prefixed hook name | ||
| #2734 | Login Page Customizer – Customize Login Screen & Branding | 38 | 36 | 172 | 1k+ | Non-prefixed function | ||
| #2735 | Darkify – Dark Mode & Night Mode for Website & Admin (Dark Theme Included) | 38 | 38 | 183 | 600 | Non-prefixed global variable | ||
| #2736 | Datafeedr Comparison Sets | 38 | 450 | 53 | 3k+ | Output is not escaped | ||
| #2737 | Datafeedr WooCommerce Importer | 38 | 112 | 56 | 5k+ | Text Domain Mismatch | ||
| #2738 | Availability Datepicker – Booking Calendar for Contact Form 7 – Input WP | 38 | 344 | 30 | 20k+ | Text Domain Mismatch | ||
| #2739 | Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster | 38 | 37 | 102 | 5k+ | Interpolated SQL is not prepared | ||
| #2740 | Easy Yandex Metrica | 38 | 97 | 48 | 900 | Output is not escaped | ||
| #2741 | Elemailer Lite – Elementor email template & campaign builder | 38 | 44 | 50 | 5k+ | Output is not escaped | ||
| #2742 | Email Encoder – Protect Email Addresses and Phone Numbers | 38 | 9 | 150 | 90k+ | Non-prefixed global variable | ||
| #2743 | PiWeb Product Enquiry or product catalog for WooCommerce | 38 | 255 | 145 | 1k+ | Text Domain Mismatch | ||
| #2744 | EU Cookie Law Compliance | 38 | 151 | 22 | 2k+ | Non Singular String Literal Domain | ||
| #2745 | Export to Blogger | 38 | 47 | 117 | 900 | Non-prefixed global variable | ||
| #2746 | Export User Data | 38 | 187 | 62 | 6k+ | Text Domain Mismatch | ||
| #2747 | Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds | 38 | 167 | 82 | 40k+ | Output is not escaped | ||
| #2748 | Social Shop for WooCommerce | 38 | 51 | 24 | 800 | Output is not escaped | ||
| #2749 | Foyer – Digital Signage for WordPress | 38 | 148 | 191 | 1k+ | Non-prefixed global variable | ||
| #2750 | Front-end Editor | 38 | 78 | 62 | 500 | Output is not escaped |