WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

  • For admin forms and action links, add and verify a nonce.
  • For AJAX handlers, use `check_ajax_referer()`.
  • For public read-only endpoints, document why a nonce is not required and keep input validation strict.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3051PayU GPO Payment for WooCommerce39449110k+Output is not escaped
#3052Modal Fly Cart & AJAX Add to Cart for WooCommerce3983742k+Text Domain Mismatch
#3053Claudio Sanches – PagSeguro for WooCommerce39873710k+Unsafe printing function
#3054WP Accessibility3920010460k+Unsafe printing function
#3055Aparat for WordPress3959143k+Output is not escaped
#3056WP Attachments3949443k+Output is not escaped
#3057WP-Cycle3953173k+Output is not escaped
#3058WPEPP – Essential Security, Password Protect & Login Page Customizer3934293k+Unsupported Identifier Placeholder
#3059WP Gmail SMTP3999501k+Text Domain Mismatch
#3060WP Limit Login Attempts39266710k+Direct Query
#3061WP Multibyte Patch3924551m+Input is not sanitized
#3062WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload39592710k+Unsafe printing function
#3063WP Realtime Sitemap39464110k+Output is not escaped
#3064WP Revision Master399629900Text Domain Mismatch
#3065WP SendGrid SMTP3999501k+Text Domain Mismatch
#3066WP Sitemap Control393137400Output is not escaped
#3067WP Sitemaps Config398837700Output is not escaped
#3068WP-Slimbox2 Plugin3977193k+Unsafe printing function
#3069AidWP – Donation & Payment Forms (Stripe Powered)39193800Non-prefixed global variable
#3070Categories to Tags Converter39863850k+Output is not escaped
#3071WPS Limit Login3915276100k+Output is not escaped
#3072YITH Custom Login3986335k+Output is not escaped
#3073404 Notifier403941700Output is not escaped
#3074ACF qTranslate40184258k+Output is not escaped
#3075ACF Theme Code for Advanced Custom Fields404784010k+Output is not escaped
#3076ACF to Custom Database Tables403664600Nonce verification recommended
#3077Address Autocomplete Anything409432900Unsafe printing function
#3078Admin Search4031471k+Output is not escaped
#3079Advanced Admin Search407948600Non Singular String Literal Text
#3080Advanced Country Blocker4023772k+Exception output is not escaped
#3081Advanced Custom Fields: Font Awesome Field403327090k+Text Domain Mismatch
#3082Advanced WPLink4067191k+Text Domain Mismatch
#3083AgreeMe Checkboxes For WooCommerce408844600Text Domain Mismatch
#3084Allow Multiple Accounts40115199k+Non Singular String Literal Domain
#3085Alt Magic: AI Image Alt Text Generator for WP & Image Rename40551181k+Direct Query
#3086amCharts: Charts and Maps402631132k+Text Domain Mismatch
#3087Analytics Cat – Google Analytics Made Easy4083276k+Text Domain Mismatch
#3088Atomic Edge Security – Firewall, Malware Scan and Login Security4012184700Non-prefixed global variable
#3089Autocomplete LearnDash Lessons and Topics4046161k+Missing Arg Domain
#3090AutoConvert Greeklish Permalinks401161330k+Text Domain Mismatch
#3091Mastodon Autopost404150800Output is not escaped
#3092Back To The Top Button40312714k+Non-prefixed global variable
#3093Bangladeshi Payment Gateways – Make Payment Using QR Code4040365k+Output is not escaped
#3094Basic Interactive World Map4094541k+Text Domain Mismatch
#3095Better Internal Link Search4023481k+strip tags strip tags
#3096BH Custom CSS3 Preloader – Just play and play4043926900Text Domain Mismatch
#3097Black Studio TinyMCE Widget403928200k+Output is not escaped
#3098Broken Link Notifier40111931k+Non-prefixed global variable
#3099Bubble Menu – Floating Button Menu with Sticky Navigation4022161k+Nonce verification recommended
#3100BuddyPress Profile Completion402830500Output is not escaped