WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3401 | Author Filters | 87 | 2 | 7 | 1k+ | Nonce verification recommended | ||
| #3402 | Authors List | 87 | 2 | 16 | 5k+ | Nonce verification recommended | ||
| #3403 | LocoAI – Auto Translate for Loco Translate | 87 | 10 | 41 | 70k+ | Non-prefixed global variable | ||
| #3404 | Catch Infinite Scroll | 87 | 20 | 10k+ | Non-prefixed global variable | |||
| #3405 | Disable User Password Reset Admin Notifications | 87 | 6 | 2 | 1k+ | Nonce verification recommended | ||
| #3406 | Farsi Font for Elementor | 87 | 11 | 2 | 1k+ | Missing Translators Comment | ||
| #3407 | I Recommend This – Love/Like Button for WordPress Posts | 87 | 3 | 49 | 5k+ | Direct Query | ||
| #3408 | Image Optimizer – Optimize Images and Convert to WebP or AVIF | 87 | 14 | 24 | 1m+ | Missing Translators Comment | ||
| #3409 | Minimum Purchase Amount For Woo Cart – For WooCommerce | 87 | 72 | 8 | 5k+ | Text Domain Mismatch | ||
| #3410 | No Category Base (WPML) | 87 | 5 | 5 | 100k+ | Missing direct file access protection | ||
| #3411 | Object Cache 4 everyone | 87 | 2 | 65 | 5k+ | Non-prefixed function | ||
| #3412 | Parallax Section Block – Add Parallax Scrolling Effects to Sections. | 87 | 3 | 22 | 3k+ | Non-prefixed global variable | ||
| #3413 | Export Single Post Page | 87 | 3 | 6 | 2k+ | Nonce verification recommended | ||
| #3414 | Smaily Connect | 87 | 52 | 2k+ | Non-prefixed global variable | |||
| #3415 | Tickera – Sell Tickets & Manage Events | 87 | 7 | 54 | 2k+ | Non-prefixed hook name | ||
| #3416 | Variations as Single Product – Display Single Variation for WooCommerce | 87 | 8 | 33 | 1k+ | Direct Query | ||
| #3417 | Coupon Box for WooCommerce | 87 | 11 | 85 | 1k+ | Non-prefixed global variable | ||
| #3418 | Worldline Online Checkout | 88 | 4 | 16 | 1k+ | Nonce verification recommended | ||
| #3419 | Catch IDs | 88 | 16 | 20k+ | Non-prefixed global variable | |||
| #3420 | CPO Content Types | 88 | 13 | 25 | 3k+ | Missing direct file access protection | ||
| #3421 | MC4WP: Mailchimp Top Bar – Email Subscribe Notification Bar | 88 | 1 | 21 | 7k+ | Non-prefixed global variable | ||
| #3422 | User IP and Location | 88 | 2 | 10 | 3k+ | Input is not sanitized | ||
| #3423 | FlexMeeting – Webinar & Meeting Plugin for Jitsi Meet | 88 | 6 | 18 | 1k+ | Nonce verification recommended | ||
| #3424 | Divi Carousel Free (Divi5 Support) | 88 | 268 | 26 | 30k+ | Text Domain Mismatch | ||
| #3425 | WPC Admin Columns | 88 | 30 | 1k+ | Direct Query | |||
| #3426 | Better Variation Price for WooCommerce | 89 | 5 | 12 | 1k+ | Nonce verification recommended | ||
| #3427 | Blog Filter – Post Grid Filter by Category or Tag | 89 | 1 | 5 | 7k+ | Nonce verification recommended | ||
| #3428 | Canvas | 89 | 19 | 112 | 10k+ | Non-prefixed global variable | ||
| #3429 | Classic Widgets with Block-based Widgets | 89 | 1 | 4 | 1k+ | Input is not sanitized | ||
| #3430 | Custom Layouts – Post + Product grids made easy | 89 | 23 | 22 | 4k+ | Missing Translators Comment | ||
| #3431 | Leadfeeder | 89 | 2 | 3 | 2k+ | Non-prefixed class | ||
| #3432 | Disable WP Registration Page | 89 | 4 | 9 | 2k+ | trademarked term | ||
| #3433 | FV Clone Screen Options | 89 | 16 | 3 | 1k+ | wp function not compatible with requires wp | ||
| #3434 | Koala AI | 89 | 9 | 1k+ | Nonce verification recommended | |||
| #3435 | Loading Page with Loading Screen | 89 | 49 | 18 | 10k+ | wp function not compatible with requires wp | ||
| #3436 | Popups for Divi | 89 | 99 | 57 | 100k+ | Text Domain Mismatch | ||
| #3437 | Real Custom Post Order: Create a custom order for your content | 89 | 1 | 19 | 9k+ | Non-prefixed global variable | ||
| #3438 | Statify | 89 | 5 | 33 | 100k+ | Direct Query | ||
| #3439 | Password Strength Settings for WooCommerce | 89 | 17 | 6 | 10k+ | Missing Arg Domain | ||
| #3440 | WPC Variation Swatches for WooCommerce | 89 | 29 | 6k+ | Non-prefixed global variable | |||
| #3441 | Cryptocurrency Widgets For Elementor | 90 | 1 | 33 | 2k+ | Non-prefixed global variable | ||
| #3442 | Duplicate PP | 90 | 8 | 10k+ | Non-prefixed constant | |||
| #3443 | SocialFeeds | 90 | 10 | 20k+ | Nonce verification recommended | |||
| #3444 | WPC Smart Compare for WooCommerce | 90 | 22 | 70k+ | Nonce verification recommended | |||
| #3445 | WPC Smart Quick View for WooCommerce | 90 | 25 | 90k+ | Nonce verification recommended | |||
| #3446 | WPC Custom Related Products for WooCommerce | 90 | 4 | 27 | 1k+ | Non-prefixed class | ||
| #3447 | Local Business Schema (JSON-LD) Lite | 90 | 155 | 8 | 3k+ | Text Domain Mismatch | ||
| #3448 | Contact Form 7 Syntax Highlighting | 91 | 4 | 10 | 1k+ | Nonce verification recommended | ||
| #3449 | Clio Grow Form | 91 | 179 | 19 | 1k+ | Text Domain Mismatch | ||
| #3450 | Curator.io | 91 | 3 | 9 | 2k+ | Nonce verification recommended |
