WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

  • For admin forms and action links, add and verify a nonce.
  • For AJAX handlers, use `check_ajax_referer()`.
  • For public read-only endpoints, document why a nonce is not required and keep input validation strict.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2701Afterpay Gateway for WooCommerce381836210k+Text Domain Mismatch
#2702Alphabetic Pagination38144117500Unsafe printing function
#2703Anant Sites — Elementor & Gutenberg Readymade Template Library Free & Pro Templates38201561k+Non-prefixed global variable
#2704Announce from the Dashboard38138247k+Non Singular String Literal Domain
#2705Announcement Bar38192613k+Non Singular String Literal Domain
#2706Any Mobile Theme Switcher38695920k+Output is not escaped
#2707Aplazame383439500Non-prefixed global variable
#2708Activity Log – Monitor & Record User Changes3881149200k+Nonce verification recommended
#2709Attachments38238668k+Unsafe printing function
#2710Audio Story Images384644400Output is not escaped
#2711Auto Prune Posts3854571k+Output is not escaped
#2712Autologin Links3873748k+Output is not escaped
#2713Automatic Post Tagger385923072k+Output is not escaped
#2714Beauty Form Styler for Gravity Forms387093600Output is not escaped
#2715Before After Image Comparison Slider for Elementor38633610k+Text Domain Mismatch
#2716BuddyPress Follow38114671k+Text Domain Mismatch
#2717Cache Warmer38322191k+Interpolated SQL is not prepared
#2718Category Posts Widget381532640k+Output is not escaped
#2719Certificate Verification3833401k+Output is not escaped
#2720Database for Contact Form 738341287k+Missing nonce verification
#2721WPAppsDev – CF7 Form Submission Limit38104331k+Text Domain Mismatch
#2722Contact Form 7 – Post Fields38167253k+Text Domain Mismatch
#2723Checkout Files Upload for WooCommerce38571207k+Input is not sanitized
#2724Classic Editor Plus – WordPress Classic Editor plugin by Felix388342500Text Domain Mismatch
#2725Clever Mega Menu for Visual Composer38500871k+Output is not escaped
#2726Clever Mega Menu for Elementor38835441k+Output is not escaped
#2727Chatbot for WordPress by Collect.chat ⚡️3858366k+Unsafe printing function
#2728Colorlib 404 Customizer3865155k+Missing direct file access protection
#2729country-redirect385819400Text Domain Mismatch
#2730Crop-Thumbnails38332740k+Missing direct file access protection
#2731CRUDLab Disable Comments382054700Missing nonce verification
#2732Custom Menu Wizard Widget38326302k+Output is not escaped
#2733Customize Posts3831771k+Non-prefixed hook name
#2734Login Page Customizer – Customize Login Screen & Branding38361721k+Non-prefixed function
#2735Darkify – Dark Mode & Night Mode for Website & Admin (Dark Theme Included)3838183600Non-prefixed global variable
#2736Datafeedr Comparison Sets38450533k+Output is not escaped
#2737Datafeedr WooCommerce Importer38112565k+Text Domain Mismatch
#2738Availability Datepicker – Booking Calendar for Contact Form 7 – Input WP383443020k+Text Domain Mismatch
#2739Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster38371025k+Interpolated SQL is not prepared
#2740Easy Yandex Metrica389748900Output is not escaped
#2741Elemailer Lite – Elementor email template & campaign builder3844505k+Output is not escaped
#2742Email Encoder – Protect Email Addresses and Phone Numbers38915090k+Non-prefixed global variable
#2743PiWeb Product Enquiry or product catalog for WooCommerce382551451k+Text Domain Mismatch
#2744EU Cookie Law Compliance38151222k+Non Singular String Literal Domain
#2745Export to Blogger3847117900Non-prefixed global variable
#2746Export User Data38187626k+Text Domain Mismatch
#2747Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds381678240k+Output is not escaped
#2748Social Shop for WooCommerce385124800Output is not escaped
#2749Foyer – Digital Signage for WordPress381481911k+Non-prefixed global variable
#2750Front-end Editor387862500Output is not escaped