WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2751 | Product Slider, Product Grid, Product Masonry | 49 | 55 | 144 | 10k+ | wp function not compatible with requires wp | ||
| #2752 | WP Sitemap Page | 49 | 43 | 14 | 200k+ | Missing Translators Comment | ||
| #2753 | Page Builder Gutenberg Blocks – CoBlocks | 50 | 167 | 36 | 300k+ | block api version too low | ||
| #2754 | Disable Site | 50 | 26 | 3 | 4k+ | Output is not escaped | ||
| #2755 | Dynamic Pricing and Discount Rules | 50 | 25 | 65 | 1k+ | Non Singular String Literal Text | ||
| #2756 | File Manager | 50 | 42 | 72 | 10k+ | Missing direct file access protection | ||
| #2757 | Block IPs for Gravity Forms | 50 | 8 | 36 | 1k+ | Request data is not unslashed | ||
| #2758 | HT Slider For Elementor | 50 | 884 | 40 | 20k+ | Text Domain Mismatch | ||
| #2759 | IMGspider – 图片采集抓取插件 | 50 | 12 | 49 | 2k+ | Missing nonce verification | ||
| #2760 | Custom Block Builder – Lazy Blocks | 50 | 23 | 51 | 20k+ | Non-prefixed hook name | ||
| #2761 | Sitemap Generator | 50 | 60 | 26 | 3k+ | Output is not escaped | ||
| #2762 | Product Open Pricing (Name Your Price) for WooCommerce | 50 | 105 | 37 | 6k+ | Text Domain Mismatch | ||
| #2763 | Razorpay Payment Links for WooCommerce | 50 | 16 | 34 | 1k+ | Nonce verification recommended | ||
| #2764 | Send Emails with Mandrill | 50 | 36 | 141 | 6k+ | Non-prefixed global variable | ||
| #2765 | Server Info – System Health & Diagnostics Suite | 50 | 15 | 46 | 3k+ | Input is not sanitized | ||
| #2766 | Sözleşmeler | 50 | 6 | 36 | 1k+ | Input is not sanitized | ||
| #2767 | Table Addons for Elementor | 50 | 92 | 29 | 20k+ | wp function not compatible with requires wp | ||
| #2768 | Ultimate Floating Widgets – Make popup sidebars | 50 | 48 | 14 | 3k+ | Output is not escaped | ||
| #2769 | WPC Product Timer for WooCommerce | 50 | 13 | 39 | 3k+ | wp function not compatible with requires wp | ||
| #2770 | WP Hide Show Featured Image | 50 | 36 | 5 | 4k+ | Unsafe printing function | ||
| #2771 | WPKoi Templates for Elementor | 50 | 935 | 25 | 5k+ | Text Domain Mismatch | ||
| #2772 | WRC Pricing Tables – Responsive CSS3 Pricing Tables | 50 | 5 | 96 | 2k+ | Missing nonce verification | ||
| #2773 | Cart Popup for WooCommerce | 51 | 9 | 115 | 9k+ | Non-prefixed global variable | ||
| #2774 | Adjust Admin Categories | 51 | 30 | 12 | 10k+ | Output is not escaped | ||
| #2775 | AVIF Uploader | 51 | 50 | 44 | 4k+ | Missing Arg Domain | ||
| #2776 | Feeds for TikTok – Display Video Feeds in Grid Layouts | 51 | 18 | 59 | 1k+ | Request data is not unslashed | ||
| #2777 | Bootstrap Modals | 51 | 43 | 8 | 1k+ | Output is not escaped | ||
| #2778 | Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress | 51 | 3 | 116 | 1k+ | Missing nonce verification | ||
| #2779 | Disk Usage Insights | 51 | 26 | 42 | 1k+ | Non-prefixed global variable | ||
| #2780 | Gravatar Enhanced – Avatars, Profiles, and Privacy | 51 | 38 | 48 | 100k+ | Dynamic hook name | ||
| #2781 | Gutenverse – WordPress Blocks, Page Builder & Site Editor | 51 | 17 | 47 | 20k+ | Non-prefixed hook name | ||
| #2782 | Juicer.io: Effortlessly embed, curate, and aggregate social media feeds into your website | 51 | 44 | 34 | 9k+ | Output is not escaped | ||
| #2783 | Menu Icons by Themeisle – Add Icons to Navigation Menus | 51 | 34 | 22 | 100k+ | Output is not escaped | ||
| #2784 | OnSale Page for WooCommerce | 51 | 30 | 44 | 2k+ | Text Domain Mismatch | ||
| #2785 | Quotes and Tips by BestWebSoft | 51 | 485 | 190 | 1k+ | Text Domain Mismatch | ||
| #2786 | SePay Gateway | 51 | 12 | 39 | 2k+ | Nonce verification recommended | ||
| #2787 | Popular Brand Icons – Simple Icons | 51 | 20 | 12 | 3k+ | Output is not escaped | ||
| #2788 | StoryChief | 51 | 12 | 55 | 1k+ | Input is not sanitized | ||
| #2789 | Tourfic Toolkit | 51 | 44 | 27 | 1k+ | Output is not escaped | ||
| #2790 | Trustpilot Reviews | 51 | 14 | 52 | 30k+ | Missing nonce verification | ||
| #2791 | User Activity Tracking and Log | 51 | 28 | 237 | 3k+ | Non-prefixed global variable | ||
| #2792 | VK Filter Search | 51 | 35 | 71 | 6k+ | Nonce verification recommended | ||
| #2793 | Swift SMTP (formerly Welcome Email Editor) | 51 | 12 | 62 | 7k+ | Missing nonce verification | ||
| #2794 | WP Counter Up – Animated Number Counter & Milestone Showcase | 51 | 18 | 239 | 1k+ | Non-prefixed global variable | ||
| #2795 | REST API Log | 51 | 44 | 95 | 5k+ | Non-prefixed hook name | ||
| #2796 | YayMail – WooCommerce Email Customizer | 51 | 163 | 788 | 50k+ | Non-prefixed global variable | ||
| #2797 | Affiliate Area Shortcodes by AffiliateWP | 52 | 56 | 16 | 2k+ | Text Domain Mismatch | ||
| #2798 | Debug This | 52 | 43 | 32 | 2k+ | Missing Translators Comment | ||
| #2799 | Formstack Online Forms | 52 | 39 | 20 | 1k+ | Output is not escaped | ||
| #2800 | Request a Quote for WooCommerce – Get a Quote Button | 52 | 25 | 12 | 6k+ | Output is not escaped |
