WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3501 | Usermaven | 42 | 36 | 77 | 1k+ | Request data is not unslashed | ||
| #3502 | Vast Demo Import | 42 | 180 | 113 | 600 | Text Domain Mismatch | ||
| #3503 | WC Speed Repair | 42 | 34 | 74 | 1k+ | Non-prefixed global variable | ||
| #3504 | Weather Widget Pro | 42 | 294 | 5 | 1k+ | Output is not escaped | ||
| #3505 | WebPlanex: GST Invoice India | 42 | 63 | 63 | 400 | Text Domain Mismatch | ||
| #3506 | Widget Visibility Time Scheduler | 42 | 70 | 34 | 1k+ | Output is not escaped | ||
| #3507 | Auto Coupons for WooCommerce | 42 | 82 | 68 | 4k+ | Output is not escaped | ||
| #3508 | WPC Order Notes for WooCommerce | 42 | 24 | 41 | 900 | Output is not escaped | ||
| #3509 | Dynamic Remarketing for Google Ads and WooCommerce | 42 | 32 | 15 | 2k+ | Output is not escaped | ||
| #3510 | WP Author Security | 42 | 40 | 13 | 500 | Output is not escaped | ||
| #3511 | WP Before After Image Slider – Interactive Image and Video Comparison Plugin for WordPress | 42 | 112 | 17 | 1k+ | Text Domain Mismatch | ||
| #3512 | WP Child Theme Generator | 42 | 35 | 66 | 20k+ | Request data is not unslashed | ||
| #3513 | WP Content Copy Protection & No Right Click | 42 | 126 | 135 | 100k+ | Unsafe printing function | ||
| #3514 | WP Cron Cleaner | 42 | 51 | 38 | 500 | Unsafe printing function | ||
| #3515 | WP Media Category Management | 42 | 10 | 176 | 6k+ | Nonce verification recommended | ||
| #3516 | Advanced All in One Admin Search by WP Spotlight | 42 | 25 | 25 | 900 | Missing Version | ||
| #3517 | WPB Custom Tab Manager for WooCommerce – Add, Edit & Reorder Tabs | 42 | 95 | 32 | 500 | Output is not escaped | ||
| #3518 | WPFomo | 42 | 45 | 9 | 600 | Output is not escaped | ||
| #3519 | WPTerm | 42 | 61 | 89 | 3k+ | Output is not escaped | ||
| #3520 | Yandex.Metrika | 42 | 15 | 20 | 900 | Unsafe printing function | ||
| #3521 | Zotpress | 42 | 10 | 403 | 2k+ | Non-prefixed global variable | ||
| #3522 | Admin Menu Tree Page View | 43 | 17 | 69 | 10k+ | Nonce verification recommended | ||
| #3523 | Animation Builder – An interface for adding scroll-triggered animations | 43 | 7 | 67 | 800 | Missing Version | ||
| #3524 | Anonymous Restricted Content | 43 | 22 | 24 | 1k+ | Unsafe printing function | ||
| #3525 | Auto Alt Text | 43 | 52 | 13 | 4k+ | Exception output is not escaped | ||
| #3526 | Automatic Responsive Tables | 43 | 67 | 15 | 1k+ | Output is not escaped | ||
| #3527 | BMI Adult & Kid Calculator | 43 | 33 | 138 | 700 | Request data is not unslashed | ||
| #3528 | Charla Live Chat | 43 | 33 | 13 | 500 | Output is not escaped | ||
| #3529 | Click to Call or Chat Buttons | 43 | 47 | 6 | 1k+ | Output is not escaped | ||
| #3530 | Comment Reply Email Notification | 43 | 44 | 19 | 3k+ | Output is not escaped | ||
| #3531 | Custom Menu | 43 | 83 | 11 | 400 | wp function not compatible with requires wp | ||
| #3532 | Customize Login Image | 43 | 32 | 9 | 3k+ | Unsafe printing function | ||
| #3533 | Customize Snapshots | 43 | 9 | 42 | 500 | Nonce verification recommended | ||
| #3534 | Database Addon For WPForms ( wpforms entries ) – WPFormsDB | 43 | 17 | 53 | 20k+ | Nonce verification recommended | ||
| #3535 | Directorist – WPML Integration | 43 | 10 | 134 | 400 | Non-prefixed hook name | ||
| #3536 | Disable Gutenberg | 43 | 23 | 47 | 500k+ | Nonce verification recommended | ||
| #3537 | Disable WP Notification | 43 | 74 | 25 | 10k+ | Output is not escaped | ||
| #3538 | Easy PayPal Shopping Cart | 43 | 19 | 40 | 1k+ | Input is not sanitized | ||
| #3539 | F4 Total Stock Value for WooCommerce | 43 | 27 | 12 | 1k+ | Output is not escaped | ||
| #3540 | Floating Awesome Button (Sticky Button, Popup, Toast) & 200+ Website Custom Interactive Element | 43 | 66 | 109 | 800 | Missing direct file access protection | ||
| #3541 | GD bbPress Tools | 43 | 15 | 61 | 1k+ | Input is not sanitized | ||
| #3542 | Per User Prompt for Google Authenticator | 43 | 8 | 52 | 400 | Nonce verification recommended | ||
| #3543 | Linker – URL shortener & track outbound link clicks | 43 | 17 | 17 | 2k+ | Output is not escaped | ||
| #3544 | Make Tables Responsive | 43 | 31 | 102 | 6k+ | Input is not validated | ||
| #3545 | MembershipWorks Login Connector | 43 | 28 | 81 | 700 | Request data is not unslashed | ||
| #3546 | Opal Woo Custom Product Variation | 43 | 1 | 116 | 400 | Non-prefixed global variable | ||
| #3547 | Pods Gravity Forms Add-On | 43 | 79 | 1k+ | Missing nonce verification | |||
| #3548 | Post Carousel Slider for Elementor | 43 | 133 | 23 | 3k+ | Text Domain Mismatch | ||
| #3549 | Redirect List | 43 | 34 | 22 | 1k+ | Output is not escaped | ||
| #3550 | Rut Chileno con Validación para WooCommerce | 43 | 35 | 16 | 1k+ | Text Domain Mismatch |