WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3051 | PayU GPO Payment for WooCommerce | 39 | 44 | 91 | 10k+ | Output is not escaped | ||
| #3052 | Modal Fly Cart & AJAX Add to Cart for WooCommerce | 39 | 83 | 74 | 2k+ | Text Domain Mismatch | ||
| #3053 | Claudio Sanches – PagSeguro for WooCommerce | 39 | 87 | 37 | 10k+ | Unsafe printing function | ||
| #3054 | WP Accessibility | 39 | 200 | 104 | 60k+ | Unsafe printing function | ||
| #3055 | Aparat for WordPress | 39 | 59 | 14 | 3k+ | Output is not escaped | ||
| #3056 | WP Attachments | 39 | 49 | 44 | 3k+ | Output is not escaped | ||
| #3057 | WP-Cycle | 39 | 53 | 17 | 3k+ | Output is not escaped | ||
| #3058 | WPEPP – Essential Security, Password Protect & Login Page Customizer | 39 | 34 | 29 | 3k+ | Unsupported Identifier Placeholder | ||
| #3059 | WP Gmail SMTP | 39 | 99 | 50 | 1k+ | Text Domain Mismatch | ||
| #3060 | WP Limit Login Attempts | 39 | 26 | 67 | 10k+ | Direct Query | ||
| #3061 | WP Multibyte Patch | 39 | 24 | 55 | 1m+ | Input is not sanitized | ||
| #3062 | WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload | 39 | 59 | 27 | 10k+ | Unsafe printing function | ||
| #3063 | WP Realtime Sitemap | 39 | 46 | 41 | 10k+ | Output is not escaped | ||
| #3064 | WP Revision Master | 39 | 96 | 29 | 900 | Text Domain Mismatch | ||
| #3065 | WP SendGrid SMTP | 39 | 99 | 50 | 1k+ | Text Domain Mismatch | ||
| #3066 | WP Sitemap Control | 39 | 31 | 37 | 400 | Output is not escaped | ||
| #3067 | WP Sitemaps Config | 39 | 88 | 37 | 700 | Output is not escaped | ||
| #3068 | WP-Slimbox2 Plugin | 39 | 77 | 19 | 3k+ | Unsafe printing function | ||
| #3069 | AidWP – Donation & Payment Forms (Stripe Powered) | 39 | 193 | 800 | Non-prefixed global variable | |||
| #3070 | Categories to Tags Converter | 39 | 86 | 38 | 50k+ | Output is not escaped | ||
| #3071 | WPS Limit Login | 39 | 152 | 76 | 100k+ | Output is not escaped | ||
| #3072 | YITH Custom Login | 39 | 86 | 33 | 5k+ | Output is not escaped | ||
| #3073 | 404 Notifier | 40 | 39 | 41 | 700 | Output is not escaped | ||
| #3074 | ACF qTranslate | 40 | 184 | 25 | 8k+ | Output is not escaped | ||
| #3075 | ACF Theme Code for Advanced Custom Fields | 40 | 478 | 40 | 10k+ | Output is not escaped | ||
| #3076 | ACF to Custom Database Tables | 40 | 36 | 64 | 600 | Nonce verification recommended | ||
| #3077 | Address Autocomplete Anything | 40 | 94 | 32 | 900 | Unsafe printing function | ||
| #3078 | Admin Search | 40 | 31 | 47 | 1k+ | Output is not escaped | ||
| #3079 | Advanced Admin Search | 40 | 79 | 48 | 600 | Non Singular String Literal Text | ||
| #3080 | Advanced Country Blocker | 40 | 23 | 77 | 2k+ | Exception output is not escaped | ||
| #3081 | Advanced Custom Fields: Font Awesome Field | 40 | 332 | 70 | 90k+ | Text Domain Mismatch | ||
| #3082 | Advanced WPLink | 40 | 67 | 19 | 1k+ | Text Domain Mismatch | ||
| #3083 | AgreeMe Checkboxes For WooCommerce | 40 | 88 | 44 | 600 | Text Domain Mismatch | ||
| #3084 | Allow Multiple Accounts | 40 | 115 | 19 | 9k+ | Non Singular String Literal Domain | ||
| #3085 | Alt Magic: AI Image Alt Text Generator for WP & Image Rename | 40 | 55 | 118 | 1k+ | Direct Query | ||
| #3086 | amCharts: Charts and Maps | 40 | 263 | 113 | 2k+ | Text Domain Mismatch | ||
| #3087 | Analytics Cat – Google Analytics Made Easy | 40 | 83 | 27 | 6k+ | Text Domain Mismatch | ||
| #3088 | Atomic Edge Security – Firewall, Malware Scan and Login Security | 40 | 12 | 184 | 700 | Non-prefixed global variable | ||
| #3089 | Autocomplete LearnDash Lessons and Topics | 40 | 46 | 16 | 1k+ | Missing Arg Domain | ||
| #3090 | AutoConvert Greeklish Permalinks | 40 | 116 | 13 | 30k+ | Text Domain Mismatch | ||
| #3091 | Mastodon Autopost | 40 | 41 | 50 | 800 | Output is not escaped | ||
| #3092 | Back To The Top Button | 40 | 31 | 271 | 4k+ | Non-prefixed global variable | ||
| #3093 | Bangladeshi Payment Gateways – Make Payment Using QR Code | 40 | 40 | 36 | 5k+ | Output is not escaped | ||
| #3094 | Basic Interactive World Map | 40 | 94 | 54 | 1k+ | Text Domain Mismatch | ||
| #3095 | Better Internal Link Search | 40 | 23 | 48 | 1k+ | strip tags strip tags | ||
| #3096 | BH Custom CSS3 Preloader – Just play and play | 40 | 439 | 26 | 900 | Text Domain Mismatch | ||
| #3097 | Black Studio TinyMCE Widget | 40 | 39 | 28 | 200k+ | Output is not escaped | ||
| #3098 | Broken Link Notifier | 40 | 11 | 193 | 1k+ | Non-prefixed global variable | ||
| #3099 | Bubble Menu – Floating Button Menu with Sticky Navigation | 40 | 2 | 216 | 1k+ | Nonce verification recommended | ||
| #3100 | BuddyPress Profile Completion | 40 | 28 | 30 | 500 | Output is not escaped |