WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

  • For admin forms and action links, add and verify a nonce.
  • For AJAX handlers, use `check_ajax_referer()`.
  • For public read-only endpoints, document why a nonce is not required and keep input validation strict.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3101Categories Metabox Enhanced4077361k+Output is not escaped
#3102Category Featured Images Extended4017740400Text Domain Mismatch
#3103CleverReach Integration for Contact Form 74010343700Text Domain Mismatch
#3104Charity Addon for Elementor4048081k+Text Domain Mismatch
#3105Classified Ads40136381k+Text Domain Mismatch
#3106Cleaner Gallery404082k+Unsafe printing function
#3107Client Portal – Private user pages and login4052293k+Output is not escaped
#3108Client Portal : SuiteDash Direct Login4093171k+Text Domain Mismatch
#3109codoc4019392k+Request data is not unslashed
#3110Complete Image Sitemap4055181k+Output is not escaped
#3111Database Addon for Contact Form 7 – CFDB7403556600k+Nonce verification recommended
#3112Copyscape Premium40148133800SQL query is not prepared
#3113Country State City Dropdown CF74035545k+Direct Query
#3114Crisp – Live Chat and Chatbot40242020k+Unsafe printing function
#3115Cron Logger4049361k+Output is not escaped
#3116Cryptocurrency Widgets Pack4022252700Unsafe printing function
#3117Custom Contact Forms40131066k+Missing nonce verification
#3118Custom Simple Rss40731302k+Nonce verification recommended
#3119Dashboard Welcome for Beaver Builder4038242k+Output is not escaped
#3120Dashify: WooCommerce admin dashboard theme4016131900Nonce verification recommended
#3121Delete Me40116177k+Output is not escaped
#3122Donation Thermometer40324882k+Output is not escaped
#3123Duplicate Page4039433m+Unsafe printing function
#3124Easy Document Embedder – Embed Word, excel, Powerpoint, Pdf file and more..405527500Output is not escaped
#3125Easy Image Collage4096184k+Unsafe printing function
#3126Contact Form 7 styler for Elementor Page Builder4012610900Unsafe printing function
#3127Enhanced Custom Permalinks4051821k+Nonce verification recommended
#3128FameTheme Demo Importer4087430k+Nonce verification recommended
#3129FAQ Concertina404316600Output is not escaped
#3130FAQ Schema – Accordion, Tab, Slider & Gutenberg Block40253462k+Output is not escaped
#3131Far Future Expiry Header4025367k+Request data is not unslashed
#3132Fast User Switching4028282k+Output is not escaped
#3133Featured Post403618800Output is not escaped
#3134Flamingo4015228800k+Nonce verification recommended
#3135FluentComments – Spam protection, AntiSpam, Ajax Enhanced Comments405047700Non-prefixed global variable
#3136Flying Scripts: Delay JavaScript to Improve Site Speed & Performance40234430k+Missing direct file access protection
#3137FlyWP Helper – Page Cache, Page Optimization, Emails for FlyWP Server Control Panel4020814k+Non-prefixed global variable
#3138Fusion Page Builder40341003k+Input is not validated
#3139Analytics Germanized for Google Analytics (GDPR / DSGVO)4049147k+Output is not escaped
#3140Osom Author Pro4083221k+Output is not escaped
#3141GetPaid > Item Inventory4011252400Text Domain Mismatch
#3142Product Enquiry for WooCommerce4057413k+Output is not escaped
#3143Gravity Forms Data Persistence Add-On Reloaded401438700Input is not sanitized
#3144Header Promo – Show Top Bar Message or Call to Action4047245400Output is not escaped
#3145heatmap for WordPress – Realtime analytics4094151k+Non Singular String Literal Domain
#3146WP Armour – Honeypot Anti Spam405466400k+Missing nonce verification
#3147Hostinger Reach – AI-Powered Email Marketing for WordPress409451m+Direct Query
#3148I Agree! Popups405446500Output is not escaped
#3149If Widget – Visibility control for Widgets4099251k+Unsafe printing function
#3150Image Editor by Pixo4012666800Output is not escaped