WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

  • For admin forms and action links, add and verify a nonce.
  • For AJAX handlers, use `check_ajax_referer()`.
  • For public read-only endpoints, document why a nonce is not required and keep input validation strict.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3001SEO Auto Linker3990241k+Text Domain Mismatch
#3002SEO Friendly Images392922020k+Output is not escaped
#3003Serial Number for Contact Form 739105532k+Non Singular String Literal Domain
#3004Shared Files – File Upload & Download Manager3951844k+Nonce verification recommended
#3005Shipping by Rules for WooCommerce3913048500Output is not escaped
#3006Shipping Simulator for WooCommerce39120395k+Text Domain Mismatch
#3007Show All Comments3910892400Nonce verification recommended
#3008Simpaisa Wallet (Jazzcash & Easypaisa) Payment Services3967741k+Interpolated Variable Text
#3009Simple Membership WP user Import3922464k+Request data is not unslashed
#3010Simple Posts Ticker – Easy, Lightweight & Flexible39151282k+Output is not escaped
#3011Simple Staff List39902363k+Non-prefixed global variable
#3012Slash Admin3911638500Output is not escaped
#3013Slideshow SE39352402k+Non-prefixed global variable
#3014Smaily for WP395236600Output is not escaped
#3015Solid Post Likes399652500Text Domain Mismatch
#3016Soumettre.fr391302610k+Text Domain Mismatch
#3017Spreadr Woocommerce Plugin – Amazon Importer for Dropshipping and Affiliate3942226500Request data is not unslashed
#3018Stockdio Historical Chart396516900Output is not escaped
#3019Substack Importer3933331k+Missing nonce verification
#3020Sync Post With Other Site39179213k+Non Singular String Literal Domain
#3021Tabify Edit Screen398327500Output is not escaped
#3022Tawk.To Manager3920421600Output is not escaped
#3023Easy Category Icons395043600Text Domain Mismatch
#3024OpenHook39172221k+Unsafe printing function
#3025TinyMCE Spellcheck3927322k+Unsafe printing function
#3026TomS reCAPTCHA39128256500Missing nonce verification
#3027Traffic Monitor3961431k+Direct Query
#3028UiChemy — Figma Converter for Elementor, Gutenberg and Bricks3971009k+Nonce verification recommended
#3029Ultimate Client Dash39697122k+Text Domain Mismatch
#3030Ultimate Lightbox39110591k+Unsafe printing function
#3031Universal Google Adsense and Ads manager3970312k+Unsafe printing function
#3032upPrev3935361k+Dynamic hook name
#3033Uptolike Social Share Buttons3938334k+Output is not escaped
#3034Use Any Font | Custom Font Uploader393655200k+Request data is not unslashed
#3035User Blocker3962763k+Nonce verification recommended
#3036Smart Variation Swatches and Attribute Filters for WooCommerce3939503k+Output is not escaped
#3037Virtuaria Correios – Frete, Etiqueta, Rastreio e Declaração391881500Nonce verification recommended
#3038Virusdie | One-click website security39149662k+Output is not escaped
#3039Visual Portfolio, Photo Gallery & Post Grid393418960k+Non-prefixed hook name
#3040Payments via PayMongo for WooCommerce3936811k+Nonce verification recommended
#3041Smart COD for WooCommerce39502830k+Output is not escaped
#3042WebHotelier for WordPress3945140500Text Domain Mismatch
#3043Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types398911720k+Unsafe printing function
#3044Woo Button Text395321500Output is not escaped
#3045Combo Offers WooCommerce3938892k+Missing nonce verification
#3046CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x39722220k+Non-prefixed hook name
#3047PayU GPO Payment for WooCommerce39449110k+Output is not escaped
#3048Modal Fly Cart & AJAX Add to Cart for WooCommerce3983742k+Text Domain Mismatch
#3049Claudio Sanches – PagSeguro for WooCommerce39873710k+Unsafe printing function
#3050WP Accessibility3920010460k+Unsafe printing function