WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

  • For admin forms and action links, add and verify a nonce.
  • For AJAX handlers, use `check_ajax_referer()`.
  • For public read-only endpoints, document why a nonce is not required and keep input validation strict.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2901Blackhole for Bad Bots391236930k+Output is not escaped
#2902Blogger Importer Extended3955454k+Output is not escaped
#2903Bogo393013910k+Request data is not unslashed
#2904BOX NOW Delivery Croatia396499700Missing nonce verification
#2905Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)39164710k+Request data is not unslashed
#2906Bulk NoIndex & NoFollow Toolkit39721722k+Nonce verification recommended
#2907Better WordPress External Links3913035400Non Singular String Literal Domain
#2908Calculator Builder – Create an Online Calculator39162211k+Non-prefixed global variable
#2909Saitama Addon Pack39152271k+Output is not escaped
#2910Contact Form 7 extension for Google Map fields3911858500Missing Arg Domain
#2911Innozilla Skins for Contact Form 739152222k+Output is not escaped
#2912Constant Contact + WooCommerce3927911k+Nonce verification recommended
#2913Contact Form 7 – Dynamic Text Extension3910328100k+Output is not escaped
#2914Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR)39284580k+Missing nonce verification
#2915Content Visibility for Divi Builder39184592k+Non Singular String Literal Domain
#2916Cookies for Comments39222920k+Input is not validated
#2917Country & Phone Field Contact Form 7391173440k+Text Domain Mismatch
#2918Culqi39571881k+Text Domain Mismatch
#2919Custom Post Type Auto Menu395433500Text Domain Mismatch
#2920Custom Related Posts39131343k+Output is not escaped
#2921Custom Thank You for WooCommerce3910757400Output is not escaped
#2922Da Reactions3915140400Request data is not unslashed
#2923Dashboard Cleaner394091500Missing nonce verification
#2924Datalogics Ecommerce Delivery – Datalogics3913115500Nonce verification recommended
#2925DefendWP Firewall39162033k+Non-prefixed global variable
#2926Deliverability – pass DKIM, SPF, DMARC & more392171800Nonce verification recommended
#2927Drip for Gravity Forms394121500Unsafe printing function
#2928Duplicate Killer – Prevent Duplicate Form Submissions39571031k+Non-prefixed global variable
#2929WeShareAI – AI-Powered Share Buttons (formerly E-MAILiT)3916524700Unsafe printing function
#2930Easy PayPal Events & Tickets39285501k+Request data is not unslashed
#2931Editor Menu and Widget Access3981247k+Output is not escaped
#2932Caldera Forms styler for Elementor Page Builder3917312700Text Domain Mismatch
#2933ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor39733481m+Non-prefixed global variable
#2934Email Marketing by EmailOctopus3943623k+Non-prefixed global variable
#2935Events Manager – Zoom Integration3914143700Output is not escaped
#2936BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress394802264k+Text Domain Mismatch
#2937FaniMani.pl3910311600Output is not escaped
#2938Favorites3918712310k+Unsafe printing function
#2939Fix Duplicates397673800Output is not escaped
#2940Flamix: Bitrix24 and WooCommerce Orders integration398131500Output is not escaped
#2941GDPRess | Eliminate external requests to increase GDPR compliance3960261k+Output is not escaped
#2942Genesis Dambuster3994673k+Output is not escaped
#2943GF Mollie by Indigo398233900Exception output is not escaped
#2944GL Import External Images3911819800wp function not compatible with requires wp
#2945Prisna GWT – Google Website Translator39117778k+Text Domain Mismatch
#2946GoSMTP – SMTP for WordPress395942500k+Output is not escaped
#2947Graphina – Charts and Graphs For Elementor391,91011310k+Text Domain Mismatch
#2948Gravity Slider Fields3956362k+Text Domain Mismatch
#2949GS Only PDF Preview3946361k+Output is not escaped
#2950Gutenverse News – News Blocks for Blog & Magazine Sites393765800Non-prefixed hook name