WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2801 | XML Sitemap & Google News | 47 | 270 | 224 | 100k+ | Non-prefixed global variable | ||
| #2802 | Add Polylang support for Customizer | 48 | 18 | 20 | 2k+ | Nonce verification recommended | ||
| #2803 | Ansar Import – One Click Starter Sites – for Elementor & Themes | 48 | 27 | 116 | 20k+ | Non-prefixed global variable | ||
| #2804 | Better Block Patterns | 48 | 77 | 11 | 1k+ | Missing direct file access protection | ||
| #2805 | Current Menu Item for Custom Post Types | 48 | 18 | 30 | 2k+ | Non-prefixed global variable | ||
| #2806 | Filter Page by Template | 48 | 17 | 20 | 2k+ | Nonce verification recommended | ||
| #2807 | Fixed And Sticky Header | 48 | 31 | 7 | 1k+ | Output is not escaped | ||
| #2808 | Maps Plugin using Google Maps for WordPress – WP Google Map | 48 | 289 | 38 | 10k+ | wp function not compatible with requires wp | ||
| #2809 | Tag Pilot FREE – Google Tag Manager Integration for WooCommerce | 48 | 35 | 19 | 1k+ | Output is not escaped | ||
| #2810 | Hotline Phone Ring | 48 | 16 | 15 | 8k+ | Output is not escaped | ||
| #2811 | JW Player for WordPress | 48 | 289 | 80 | 1k+ | Text Domain Mismatch | ||
| #2812 | Raw HTML Snippets | 48 | 14 | 36 | 2k+ | Input is not sanitized | ||
| #2813 | Simple Custom Post Order | 48 | 10 | 77 | 300k+ | Direct Query | ||
| #2814 | Easy Updates Manager | 48 | 13 | 182 | 300k+ | Non-prefixed global variable | ||
| #2815 | WC Provincia Canton Distrito | 48 | 103 | 14 | 1k+ | Text Domain Mismatch | ||
| #2816 | WPC Smart Wishlist for WooCommerce | 48 | 44 | 38 | 100k+ | Output is not escaped | ||
| #2817 | WP Login Form | 48 | 14 | 20 | 7k+ | Request data is not unslashed | ||
| #2818 | ACF Quick Edit Fields | 49 | 20 | 72 | 30k+ | Nonce verification recommended | ||
| #2819 | Advanced Automatic Updates | 49 | 26 | 25 | 20k+ | Nonce verification recommended | ||
| #2820 | Analytics by BestWebSoft – Google Analytics Dashboard and Statistic Plugin for WordPress | 49 | 478 | 176 | 1k+ | Text Domain Mismatch | ||
| #2821 | CallPage – Callback Widget | 49 | 41 | 17 | 1k+ | Non Singular String Literal Domain | ||
| #2822 | Gallery Carousel Without JetPack | 49 | 56 | 35 | 4k+ | Text Domain Mismatch | ||
| #2823 | Successful Redirection for Contact Form | 49 | 33 | 20 | 10k+ | Text Domain Mismatch | ||
| #2824 | Download Media Library | 49 | 22 | 40 | 1k+ | Text Domain Mismatch | ||
| #2825 | Drag and Drop Multiple File Upload for WooCommerce | 49 | 114 | 29 | 5k+ | Text Domain Mismatch | ||
| #2826 | Easy Google AdSense | 49 | 19 | 12 | 5k+ | Output is not escaped | ||
| #2827 | Easy Media Download | 49 | 20 | 15 | 9k+ | Output is not escaped | ||
| #2828 | Easy Property Listings | 49 | 60 | 66 | 5k+ | wp function not compatible with requires wp | ||
| #2829 | Import into Easy Property Listings | 49 | 335 | 24 | 1k+ | Text Domain Mismatch | ||
| #2830 | Ecommerce Fabrick | 49 | 4 | 135 | 1k+ | Nonce verification recommended | ||
| #2831 | Web Icons | 49 | 51 | 10 | 1k+ | Output is not escaped | ||
| #2832 | OneClick Chat to Order | 49 | 677 | 41 | 40k+ | Text Domain Mismatch | ||
| #2833 | PostmagThemes Demo Import | 49 | 192 | 114 | 1k+ | Text Domain Mismatch | ||
| #2834 | ReCrawler | 49 | 10 | 40 | 4k+ | Direct Query | ||
| #2835 | Registered Users Only | 49 | 14 | 14 | 2k+ | Unsafe printing function | ||
| #2836 | Search in Place | 49 | 74 | 57 | 3k+ | wp function not compatible with requires wp | ||
| #2837 | Secondary Product Image for WooCommerce | 49 | 25 | 29 | 2k+ | Output is not escaped | ||
| #2838 | UiCore Animate – Free Animations, Transitions, and Interactions Addon for Elementor & Gutenberg blocks | 49 | 34 | 38 | 40k+ | Missing direct file access protection | ||
| #2839 | Users by Date Registered | 49 | 13 | 20 | 1k+ | Nonce verification recommended | ||
| #2840 | PDF Invoices & Packing Slips for WooCommerce – Challan | 49 | 56 | 151 | 3k+ | Non-prefixed global variable | ||
| #2841 | Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit | 49 | 5 | 145 | 1k+ | Missing nonce verification | ||
| #2842 | Product Slider, Product Grid, Product Masonry | 49 | 55 | 144 | 10k+ | wp function not compatible with requires wp | ||
| #2843 | WP Sitemap Page | 49 | 43 | 14 | 200k+ | Missing Translators Comment | ||
| #2844 | Page Builder Gutenberg Blocks – CoBlocks | 50 | 167 | 36 | 300k+ | block api version too low | ||
| #2845 | Disable Site | 50 | 26 | 3 | 4k+ | Output is not escaped | ||
| #2846 | Dynamic Pricing and Discount Rules | 50 | 25 | 65 | 1k+ | Non Singular String Literal Text | ||
| #2847 | File Manager | 50 | 42 | 72 | 10k+ | Missing direct file access protection | ||
| #2848 | Block IPs for Gravity Forms | 50 | 8 | 36 | 1k+ | Request data is not unslashed | ||
| #2849 | Headline Analyzer | 50 | 13 | 31 | 1k+ | Nonce verification recommended | ||
| #2850 | HT Slider For Elementor | 50 | 884 | 40 | 20k+ | Text Domain Mismatch |
