WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3451 | Gelato Integration for WooCommerce | 42 | 36 | 32 | 5k+ | Output is not escaped | ||
| #3452 | Geo Blocker – Control Site Access by Region and IP | 42 | 10 | 64 | 800 | Direct Query | ||
| #3453 | Goolytics – Simple Google Analytics | 42 | 37 | 5 | 4k+ | Unsafe printing function | ||
| #3454 | Hide Cart Functions | 42 | 12 | 50 | 3k+ | Nonce verification recommended | ||
| #3455 | Hide Featured Image | 42 | 26 | 12 | 10k+ | Unsafe printing function | ||
| #3456 | Image Uploader for Welcart | 42 | 27 | 24 | 3k+ | Output is not escaped | ||
| #3457 | WP All Import – Import SEO Settings for Rank Math SEO | 42 | 18 | 44 | 7k+ | Nonce verification recommended | ||
| #3458 | iOS images fixer | 42 | 22 | 42 | 6k+ | Nonce verification recommended | ||
| #3459 | iyzico for WooCommerce | 42 | 34 | 54 | 10k+ | Unsafe printing function | ||
| #3460 | Lazy Social Comments | 42 | 73 | 10 | 1k+ | Unsafe printing function | ||
| #3461 | LeadSnap | 42 | 14 | 84 | 1k+ | Input is not validated | ||
| #3462 | LH Page Links To | 42 | 25 | 38 | 500 | Output is not escaped | ||
| #3463 | LIQUID BLOCKS – Slider, Carousel, Accordion | 42 | 50 | 31 | 4k+ | Unsafe printing function | ||
| #3464 | Mailster Cool Captcha | 42 | 65 | 28 | 400 | Text Domain Mismatch | ||
| #3465 | Medical Addon for Elementor | 42 | 200 | 8 | 1k+ | Text Domain Mismatch | ||
| #3466 | Message Popup For Contact Form 7 | 42 | 30 | 81 | 1k+ | Missing nonce verification | ||
| #3467 | My Upload Images | 42 | 74 | 48 | 400 | Unsafe printing function | ||
| #3468 | Nav Menu Collapse | 42 | 17 | 39 | 3k+ | Missing nonce verification | ||
| #3469 | NS Remove Related Products for WooCommerce | 42 | 95 | 43 | 3k+ | Output is not escaped | ||
| #3470 | OnPay.io for WooCommerce | 42 | 238 | 37 | 1k+ | Text Domain Mismatch | ||
| #3471 | PageMenu | 42 | 16 | 29 | 1k+ | Missing nonce verification | ||
| #3472 | PAYDUNYA WOOCOMMERCE PAR | 42 | 54 | 32 | 600 | Text Domain Mismatch | ||
| #3473 | المنتور فارسی | 42 | 17 | 52 | 40k+ | Nonce verification recommended | ||
| #3474 | Photo Galleria | 42 | 78 | 5 | 800 | Missing Arg Domain | ||
| #3475 | Polylang Theme Strings | 42 | 119 | 30 | 6k+ | Output is not escaped | ||
| #3476 | Post Types Order | 42 | 45 | 43 | 600k+ | wp function not compatible with requires wp | ||
| #3477 | WP Email Log – PostBox | 42 | 2 | 81 | 700 | Nonce verification recommended | ||
| #3478 | Prepare New Version | 42 | 53 | 24 | 6k+ | Output is not escaped | ||
| #3479 | Prismatic | 42 | 61 | 29 | 2k+ | Output is not escaped | ||
| #3480 | Product Price History for WooCommerce | 42 | 101 | 800 | Nonce verification recommended | |||
| #3481 | PuSHPress | 42 | 11 | 65 | 20k+ | Missing nonce verification | ||
| #3482 | reCAPTCHA for WooCommerce | 42 | 80 | 31 | 40k+ | Output is not escaped | ||
| #3483 | Rename wp-admin login | 42 | 23 | 38 | 8k+ | Output is not escaped | ||
| #3484 | Reusable Blocks Extended | 42 | 38 | 15 | 20k+ | Output is not escaped | ||
| #3485 | SALERT – Fake Sales Notification WooCommerce | 42 | 41 | 67 | 8k+ | Non-prefixed global variable | ||
| #3486 | Sendcloud Shipping | 42 | 78 | 56 | 5k+ | Output is not escaped | ||
| #3487 | SEO Backlink Monitor | 42 | 86 | 105 | 700 | Output is not escaped | ||
| #3488 | Simple Download Counter | 42 | 58 | 46 | 2k+ | Output is not escaped | ||
| #3489 | SMTP Mailer | 42 | 51 | 49 | 70k+ | Unsafe printing function | ||
| #3490 | Speed Contact Bar | 42 | 53 | 20 | 5k+ | Output is not escaped | ||
| #3491 | Starter Sites | 42 | 62 | 25 | 1k+ | Output is not escaped | ||
| #3492 | Combine Social Photos | Still BE | 42 | 33 | 281 | 700 | Non-prefixed global variable | ||
| #3493 | ThemeZee Widget Bundle | 42 | 211 | 58 | 5k+ | Output is not escaped | ||
| #3494 | Transients Manager | 42 | 45 | 50 | 20k+ | Output is not escaped | ||
| #3495 | Two Factor | 42 | 18 | 70 | 100k+ | Nonce verification recommended | ||
| #3496 | Ultimate Coming Soon Page, Maintenance Mode & Under Construction – Gutenberg Block Builder & Landing Page | 42 | 15 | 89 | 9k+ | Non-prefixed global variable | ||
| #3497 | Usermaven | 42 | 36 | 77 | 1k+ | Request data is not unslashed | ||
| #3498 | Vast Demo Import | 42 | 180 | 113 | 600 | Text Domain Mismatch | ||
| #3499 | WC Speed Repair | 42 | 34 | 74 | 1k+ | Non-prefixed global variable | ||
| #3500 | Weather Widget Pro | 42 | 294 | 5 | 1k+ | Output is not escaped |