WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

  • For admin forms and action links, add and verify a nonce.
  • For AJAX handlers, use `check_ajax_referer()`.
  • For public read-only endpoints, document why a nonce is not required and keep input validation strict.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3301CloudGuard4141131k+Output is not escaped
#3302Colorful Categories4120202k+Output is not escaped
#3303Comments Like Dislike41172205k+Non Singular String Literal Domain
#3304Contact Form 7 Captcha41775100k+Request data is not unslashed
#3305Controlled Admin Access41224010k+Nonce verification recommended
#3306Cookie Notice & Consent41101291k+Output is not escaped
#3307Simple Website Banner411068700Output is not escaped
#3308CurrencyConverter416296700Non Singular String Literal Domain
#3309Database for CF74137322k+Text Domain Mismatch
#3310Debug Bar41642520k+Output is not escaped
#3311Developer Loggers for Simple History414628400Text Domain Mismatch
#3312Dinamize414165500Output is not escaped
#3313Disable Everything41901630k+Output is not escaped
#3314Disqus Conditional Load4138143k+Output is not escaped
#3315Duplicate Post Page Menu & Custom Post Type41351110k+Text Domain Mismatch
#3316Edit Lock414722500Non Singular String Literal Domain
#3317Essential Form – The lightest plugin for contact forms, ultra lightweight and no spam412153500Missing nonce verification
#3318Payment Gateway of PayPal for WooCommerce41441847k+Nonce verification recommended
#3319Extra User Details4184151k+Non Singular String Literal Domain
#3320Flexible Posts Widget41136337k+Output is not escaped
#3321Google Authenticator41396520k+Output is not escaped
#3322(Simply) Guest Author Name4135362k+Output is not escaped
#3323Hash Form – Drag & Drop Form Builder4192753k+Non-prefixed global variable
#3324Hide WP Admin Login412339500Nonce verification recommended
#3325Highcompress Image Compressor4110669600Text Domain Mismatch
#3326iCount Payment Gateway4115222500Text Domain Mismatch
#3327Import external attachments4118262k+Output is not escaped
#3328Infinite Ajax Scrolling Lite For Woocommerce413328500Output is not escaped
#3329Inpost Paczkomaty4135688k+Text Domain Mismatch
#3330Multiple Themes411124110k+Output is not escaped
#3331Social Sharing Plugin – Kiwi4123804k+Non-prefixed global variable
#3332Central Color Palette41733310k+Output is not escaped
#3333Lazy Load Optimizer4163263k+Unsafe printing function
#3334Lockdown WP Admin41205010k+Request data is not unslashed
#3335Log cleaner for Solid Security4165478k+Text Domain Mismatch
#3336Media Grid4142442k+Missing Arg Domain
#3337Mobile Contact Bar41943610k+Unsafe printing function
#3338Mollie Forms41145653k+Request data is not unslashed
#3339MouseWheel Smooth Scroll411047100k+Text Domain Mismatch
#3340My Wp Brand – Hide menu & Hide Plugin4174502k+Non Singular String Literal Domain
#3341Social Login4181105k+Input is not sanitized
#3342Live Chat & AI Chatbot – onWebChat413191700error log error log
#3343Optimus – WordPress Image Optimizer41522030k+Unsafe printing function
#3344Passwordless Login4140241k+Output is not escaped
#3345المنتور فارسی41195440k+Nonce verification recommended
#3346Personalize Login414784500Nonce verification recommended
#3347Pods – Custom Content Types and Fields415233100k+Direct Query
#3348Web Accessibility (formally known as Ally) – WCAG Scanning, Guided Fixes, Usability Widget414738500k+Output is not escaped
#3349Smart Post – Post Grid, Post Carousel, Post Slider Gutenberg Blocks for Blog & News4153720k+Non-prefixed global variable
#3350Post Cloner4125151k+Text Domain Mismatch