WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3151 | Interactive US Map | 40 | 136 | 54 | 400 | Text Domain Mismatch | ||
| #3152 | Internal Linking of Related Contents | 40 | 714 | 47 | 1k+ | Output is not escaped | ||
| #3153 | Quotes Addon for GetPaid | 40 | 191 | 21 | 700 | Text Domain Mismatch | ||
| #3154 | JSM Show Order Metadata for WooCommerce HPOS | 40 | 17 | 64 | 700 | Nonce verification recommended | ||
| #3155 | JSM Show Post Metadata | 40 | 15 | 66 | 10k+ | Nonce verification recommended | ||
| #3156 | JSM Show Term Metadata | 40 | 14 | 64 | 900 | Nonce verification recommended | ||
| #3157 | JSM Show User Metadata | 40 | 14 | 64 | 3k+ | Nonce verification recommended | ||
| #3158 | La Sentinelle antispam | 40 | 88 | 46 | 3k+ | Output is not escaped | ||
| #3159 | Limit Login Attempts | 40 | 81 | 38 | 300k+ | Output is not escaped | ||
| #3160 | Links shortcode | 40 | 73 | 13 | 900 | Unsafe printing function | ||
| #3161 | Listdomer Core | 40 | 45 | 92 | 400 | Non-prefixed global variable | ||
| #3162 | WP All Import – Listings Import for Listify | 40 | 34 | 27 | 400 | Output is not escaped | ||
| #3163 | LJ Multi Column Archive | 40 | 17 | 25 | 1k+ | Output is not escaped | ||
| #3164 | LLM Bot Tracker – AI Crawler Detection & Analytics | 40 | 18 | 90 | 700 | Database parameter is not escaped | ||
| #3165 | Loan Comparison | 40 | 27 | 192 | 400 | Request data is not unslashed | ||
| #3166 | Logbook | 40 | 33 | 59 | 1k+ | Nonce verification recommended | ||
| #3167 | WPO365 | Mail Integration for Office 365 / Outlook | 40 | 59 | 27 | 2k+ | Output is not escaped | ||
| #3168 | Manual Image Crop | 40 | 178 | 61 | 8k+ | Output is not escaped | ||
| #3169 | MAS Company Reviews For WP Job Manager | 40 | 44 | 71 | 1k+ | Output is not escaped | ||
| #3170 | Mass Email To Users | 40 | 84 | 81 | 800 | Output is not escaped | ||
| #3171 | MembershipWorks – Membership, Events & Directory | 40 | 41 | 29 | 2k+ | Output is not escaped | ||
| #3172 | Modal Window – create popup modal window | 40 | 4 | 170 | 10k+ | Non-prefixed global variable | ||
| #3173 | 코드엠샵 소셜톡 | 40 | 47 | 36 | 400 | Output is not escaped | ||
| #3174 | My Social Feeds – Social Feeds Embedder Plugin for WP | 40 | 8 | 77 | 400 | Request data is not unslashed | ||
| #3175 | Flying Images: Optimize and Lazy Load Images for Faster Page Speed | 40 | 32 | 58 | 3k+ | Missing direct file access protection | ||
| #3176 | No-Bot Registration | 40 | 112 | 42 | 2k+ | Unsafe printing function | ||
| #3177 | No CAPTCHA reCAPTCHA | 40 | 112 | 26 | 4k+ | Text Domain Mismatch | ||
| #3178 | One Click SSL | 40 | 136 | 62 | 10k+ | Unsafe printing function | ||
| #3179 | Page Comments Off Please | 40 | 17 | 29 | 1k+ | Nonce verification recommended | ||
| #3180 | Donations via PayPal | 40 | 143 | 17 | 20k+ | Output is not escaped | ||
| #3181 | Paystack MemberPress | 40 | 71 | 76 | 400 | Output is not escaped | ||
| #3182 | Permalink Editor | 40 | 50 | 28 | 1k+ | Output is not escaped | ||
| #3183 | Permalink Manager for WooCommerce | 40 | 115 | 20 | 8k+ | Short PHP open tag found | ||
| #3184 | Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels | 40 | 69 | 228 | 3k+ | Missing nonce verification | ||
| #3185 | Plugin Load Filter | 40 | 76 | 112 | 7k+ | Text Domain Mismatch | ||
| #3186 | Popup addon for Ninja Forms | 40 | 121 | 25 | 1k+ | Output is not escaped | ||
| #3187 | Post Ratings | 40 | 160 | 32 | 600 | Output is not escaped | ||
| #3188 | Requirements Checklist | 40 | 200 | 22 | 900 | Output is not escaped | ||
| #3189 | Private Google Calendars | 40 | 227 | 37 | 1k+ | Output is not escaped | ||
| #3190 | Privilege Widget | 40 | 139 | 52 | 600 | Text Domain Mismatch | ||
| #3191 | Quick Child Theme Generator | 40 | 22 | 74 | 900 | Request data is not unslashed | ||
| #3192 | Quiz Cat – WordPress Quiz Plugin | 40 | 151 | 69 | 4k+ | Output is not escaped | ||
| #3193 | Random Banner | 40 | 59 | 125 | 1k+ | Output is not escaped | ||
| #3194 | Random Post Plugin – Redirect URL to Post | 40 | 28 | 74 | 3k+ | Nonce verification recommended | ||
| #3195 | Responsive Plus – Elementor Templates & Starter Sites | 40 | 46 | 305 | 10k+ | Non-prefixed global variable | ||
| #3196 | Responsive Full Width Background Slider | 40 | 131 | 22 | 2k+ | Unsafe printing function | ||
| #3197 | Responsive Gallery Grid | 40 | 90 | 14 | 4k+ | Output is not escaped | ||
| #3198 | Responsive Sidebar | 40 | 43 | 12 | 700 | Output is not escaped | ||
| #3199 | Responsive Slider | 40 | 28 | 15 | 3k+ | Output is not escaped | ||
| #3200 | REST API Custom Fields | 40 | 44 | 16 | 800 | Text Domain Mismatch |