WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

  • For admin forms and action links, add and verify a nonce.
  • For AJAX handlers, use `check_ajax_referer()`.
  • For public read-only endpoints, document why a nonce is not required and keep input validation strict.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3651Updater by BestWebSoft464942192k+Text Domain Mismatch
#3652URL Params4636178k+Text Domain Mismatch
#3653WEN Logo Slider466461k+Non-prefixed global variable
#3654Custom Price Labels for WooCommerce4617221k+Output is not escaped
#3655WPB Category Slider for WooCommerce – Responsive Product Category Carousel & Enhanced UX4610116700Non Singular String Literal Domain
#3656WP All Import – Import SEO Settings for Yoast SEO46192620k+Nonce verification recommended
#3657Auto Focus Keyword for SEO4713442k+Interpolated SQL is not prepared
#3658Avacy CMP47590500Non-prefixed global variable
#3659Verified Member for BuddyPress4720383k+Nonce verification recommended
#3660404 Image Redirection (Replace Broken Images)4711885600Text Domain Mismatch
#3661Cashfree for WooCommerce4721218k+Nonce verification recommended
#3662Better Badge – Custom Product Badges for WooCommerce472247500Non Singular String Literal Domain
#3663Customizer Export/Import471415100k+Unsafe printing function
#3664DPO Pay for WooCommerce4728411k+Non Singular String Literal Text
#3665Extended CRM for Users Insights471123400Missing nonce verification
#3666Flying Pages: Preload Pages for Faster Navigation & Improved User Experience47212120k+Missing direct file access protection
#3667Gateway AqayePardakht for Woocommerce4772234k+Text Domain Mismatch
#3668Groups 404 Redirect4735331k+Non Singular String Literal Domain
#3669Import Users from CSV47331210k+Unsafe printing function
#3670Log Emails4719296k+Non-prefixed global variable
#3671Real Media Library: Media Library Folder & File Manager471365100k+Direct Query
#3672Restore PayPal Standard for WooCommerce4719533k+Nonce verification recommended
#3673Simple Custom Post Order47976300k+Direct Query
#3674SportsPress for Baseball4711334900Text Domain Mismatch
#3675Tabby Checkout4733464k+Non-prefixed class
#3676Simple Client Dashboard4738362k+Missing direct file access protection
#3677Better Usability for WooCommerce473093800Non-prefixed hook name
#3678iControlWP4745591k+Missing direct file access protection
#36793CX Free Live Chat, Calls & Messaging472416100k+Output is not escaped
#3680WP PHP Console471824500Output is not escaped
#3681QuadLayers TikTok Feed4778527k+Text Domain Mismatch
#3682WP User Profile Restriction47268400Output is not escaped
#3683Compress, Resize & Lazy Load Images – WPvivid Image Optimization471075810k+Missing direct file access protection
#3684XML Sitemap & Google News47270224100k+Non-prefixed global variable
#3685Add Polylang support for Customizer4818202k+Nonce verification recommended
#3686Ansar Import – One Click Starter Sites – for Elementor & Themes482711610k+Non-prefixed global variable
#3687Better Block Patterns4877111k+Missing direct file access protection
#3688Comment Notifier481055400Non-prefixed global variable
#3689CookieFox – Cookie Notice481419400Output is not escaped
#3690Current Menu Item for Custom Post Types4818302k+Non-prefixed global variable
#3691Filter Page by Template4817202k+Nonce verification recommended
#3692Fixed And Sticky Header483171k+Output is not escaped
#3693Maps Plugin using Google Maps for WordPress – WP Google Map482893810k+wp function not compatible with requires wp
#3694Hotline Phone Ring4816158k+Output is not escaped
#3695JW Player for WordPress48288781k+Text Domain Mismatch
#3696Library Bookshelves481259500Nonce verification recommended
#3697Mailster Live482237600Missing Translators Comment
#3698Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms483414800Non Singular String Literal Domain
#3699Raw HTML Snippets4814362k+Input is not sanitized
#3700Simple Regenerate Slug48186400Unsafe printing function