WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

  • For admin forms and action links, add and verify a nonce.
  • For AJAX handlers, use `check_ajax_referer()`.
  • For public read-only endpoints, document why a nonce is not required and keep input validation strict.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2851VidShop – Shoppable Videos for WooCommerce38491441k+Database parameter is not escaped
#2852Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend3884491k+Output is not escaped
#2853TWIPLA (Visitor Analytics IO) – Privacy-First Website Stats, Session Recordings, Heatmaps, Polls and Surveys387149900Output is not escaped
#2854Visual Admin Customizer382051500Input is not sanitized
#2855Chatbox Manager3885578400Output is not escaped
#2856SSLCommerz Payment Gateway38211322k+Non-prefixed global variable
#2857Affiliate Sales in Google Analytics and other tools3823841k+Request data is not unslashed
#2858White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard382053110k+Output is not escaped
#2859WholesaleX – B2B & Wholesale Plugin for WooCommerce with Wholesale Prices38401802k+Non-prefixed global variable
#2860WishSuite – Wishlist for WooCommerce38761331k+Output is not escaped
#2861Products Coming Soon for WooCommerce3815162700Output is not escaped
#2862Show Stock Status for WooCommerce3830191k+Output is not escaped
#2863Vietnam Checkout for WooCommerce389313710k+Nonce verification recommended
#2864Connect WooCommerce Shop to ERP/CRM, Verifactu and EU/VAT Compliance38231041k+Direct Query
#2865WP Accessibility Helper (WAH)38618810k+Missing direct file access protection
#2866WP Client Reports3895806k+Unsafe printing function
#2867WP-DraftsForFriends38141711k+Output is not escaped
#2868WP Mailgun SMTP389951900Text Domain Mismatch
#2869WP Maintenance Mode & Site Under Construction3872573k+Output is not escaped
#2870WP Media Categories3840103800Nonce verification recommended
#2871Native PHP Sessions38309210k+Direct Query
#2872WP Safe Mode3895552k+Output is not escaped
#2873External Store for Shopify3897332k+Output is not escaped
#2874WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups38299583k+Non Singular String Literal Domain
#2875WP Video Lightbox381076730k+Unsafe printing function
#2876WPC Product Options for WooCommerce38571824k+Non-prefixed global variable
#2877Responsive Vertical Icon Menu3818885700Output is not escaped
#2878WPTurbo -WordPress性能优化插件382034600Output is not escaped
#2879Weather Underground3864273k+Output is not escaped
#2880ZeroBounce Email Verification & Validation382991621k+Text Domain Mismatch
#2881Zoho Campaigns3831293k+Non-prefixed global variable
#2882Smart Custom 404 Error Page399044100k+Output is not escaped
#2883ACF: Google Font Selector3957453k+Output is not escaped
#2884Ad Invalid Click Protector (AICP)39785710k+Text Domain Mismatch
#2885Additional Order Filters for WooCommerce39792552k+Nonce verification recommended
#2886Advanced Product Fields (Product Addons) for WooCommerce3914514550k+Output is not escaped
#2887Advanced Woo Labels – Product Labels & Badges for WooCommerce3917312510k+Output is not escaped
#2888Affiliate Links – Link Cloaking and Management39231133k+Non-prefixed global variable
#2889AffiliatePages – Pros & Cons, Notice, and CTA Blocks for Affiliates3991532k+Output is not escaped
#2890AffiliateWP – Affiliate Area Tabs3986263k+Output is not escaped
#2891Load More Anything3938735k+Output is not escaped
#2892Accessibility by AllAccessible39200822k+Unsafe printing function
#2893Andreani WooCommerce392186700Non-prefixed global variable
#2894Animate It!391371620k+Text Domain Mismatch
#2895Anything Order by Terms3948931k+Direct Query
#2896Archive Control39151671k+Unsafe printing function
#2897Timeline – Vertical and Horizontal Timeline Layouts39500432k+Output is not escaped
#2898bbPress Voting392753500Output is not escaped
#2899Benchmark Email Lite3986231k+Output is not escaped
#2900Better Random Redirect398840700Text Domain Mismatch