WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

  • For admin forms and action links, add and verify a nonce.
  • For AJAX handlers, use `check_ajax_referer()`.
  • For public read-only endpoints, document why a nonce is not required and keep input validation strict.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3151Interactive US Map4013654400Text Domain Mismatch
#3152Internal Linking of Related Contents40714471k+Output is not escaped
#3153Quotes Addon for GetPaid4019121700Text Domain Mismatch
#3154JSM Show Order Metadata for WooCommerce HPOS401764700Nonce verification recommended
#3155JSM Show Post Metadata40156610k+Nonce verification recommended
#3156JSM Show Term Metadata401464900Nonce verification recommended
#3157JSM Show User Metadata4014643k+Nonce verification recommended
#3158La Sentinelle antispam4088463k+Output is not escaped
#3159Limit Login Attempts408138300k+Output is not escaped
#3160Links shortcode407313900Unsafe printing function
#3161Listdomer Core404592400Non-prefixed global variable
#3162WP All Import – Listings Import for Listify403427400Output is not escaped
#3163LJ Multi Column Archive4017251k+Output is not escaped
#3164LLM Bot Tracker – AI Crawler Detection & Analytics401890700Database parameter is not escaped
#3165Loan Comparison4027192400Request data is not unslashed
#3166Logbook4033591k+Nonce verification recommended
#3167WPO365 | Mail Integration for Office 365 / Outlook4059272k+Output is not escaped
#3168Manual Image Crop40178618k+Output is not escaped
#3169MAS Company Reviews For WP Job Manager4044711k+Output is not escaped
#3170Mass Email To Users408481800Output is not escaped
#3171MembershipWorks – Membership, Events & Directory4041292k+Output is not escaped
#3172Modal Window – create popup modal window40417010k+Non-prefixed global variable
#3173코드엠샵 소셜톡404736400Output is not escaped
#3174My Social Feeds – Social Feeds Embedder Plugin for WP40877400Request data is not unslashed
#3175Flying Images: Optimize and Lazy Load Images for Faster Page Speed4032583k+Missing direct file access protection
#3176No-Bot Registration40112422k+Unsafe printing function
#3177No CAPTCHA reCAPTCHA40112264k+Text Domain Mismatch
#3178One Click SSL401366210k+Unsafe printing function
#3179Page Comments Off Please4017291k+Nonce verification recommended
#3180Donations via PayPal401431720k+Output is not escaped
#3181Paystack MemberPress407176400Output is not escaped
#3182Permalink Editor4050281k+Output is not escaped
#3183Permalink Manager for WooCommerce40115208k+Short PHP open tag found
#3184Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels40692283k+Missing nonce verification
#3185Plugin Load Filter40761127k+Text Domain Mismatch
#3186Popup addon for Ninja Forms40121251k+Output is not escaped
#3187Post Ratings4016032600Output is not escaped
#3188Requirements Checklist4020022900Output is not escaped
#3189Private Google Calendars40227371k+Output is not escaped
#3190Privilege Widget4013952600Text Domain Mismatch
#3191Quick Child Theme Generator402274900Request data is not unslashed
#3192Quiz Cat – WordPress Quiz Plugin40151694k+Output is not escaped
#3193Random Banner40591251k+Output is not escaped
#3194Random Post Plugin – Redirect URL to Post4028743k+Nonce verification recommended
#3195Responsive Plus – Elementor Templates & Starter Sites404630510k+Non-prefixed global variable
#3196Responsive Full Width Background Slider40131222k+Unsafe printing function
#3197Responsive Gallery Grid4090144k+Output is not escaped
#3198Responsive Sidebar404312700Output is not escaped
#3199Responsive Slider4028153k+Output is not escaped
#3200REST API Custom Fields404416800Text Domain Mismatch