WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3701 | Taxonomy Switcher | 48 | 22 | 36 | 2k+ | Nonce verification recommended | ||
| #3702 | Virtuaria PagBank / PagSeguro for WooCommerce | 48 | 12 | 160 | 1k+ | Non-prefixed global variable | ||
| #3703 | WC Provincia Canton Distrito | 48 | 103 | 14 | 1k+ | Text Domain Mismatch | ||
| #3704 | Whitelist IP For Limit Login Attempts | 48 | 18 | 12 | 500 | Output is not escaped | ||
| #3705 | WP Login Form | 48 | 14 | 20 | 7k+ | Request data is not unslashed | ||
| #3706 | ACF Quick Edit Fields | 49 | 20 | 72 | 30k+ | Nonce verification recommended | ||
| #3707 | Advanced Automatic Updates | 49 | 26 | 25 | 20k+ | Nonce verification recommended | ||
| #3708 | SiteEase Bulk Delete Manager | 49 | 50 | 72 | 900 | Direct Query | ||
| #3709 | Analytics by BestWebSoft – Google Analytics Dashboard and Statistic Plugin for WordPress | 49 | 478 | 176 | 1k+ | Text Domain Mismatch | ||
| #3710 | CallPage – Callback Widget | 49 | 41 | 17 | 1k+ | Non Singular String Literal Domain | ||
| #3711 | Gallery Carousel Without JetPack | 49 | 56 | 35 | 4k+ | Text Domain Mismatch | ||
| #3712 | Successful Redirection for Contact Form | 49 | 33 | 20 | 10k+ | Text Domain Mismatch | ||
| #3713 | CryptAPI Payment Gateway for WooCommerce | 49 | 185 | 23 | 400 | Text Domain Mismatch | ||
| #3714 | CIO Custom Fields Importer | 49 | 23 | 8 | 400 | Output is not escaped | ||
| #3715 | Download Media Library | 49 | 22 | 40 | 1k+ | Text Domain Mismatch | ||
| #3716 | Drag and Drop Multiple File Upload for WooCommerce | 49 | 114 | 29 | 5k+ | Text Domain Mismatch | ||
| #3717 | Easy Google AdSense | 49 | 19 | 12 | 5k+ | Output is not escaped | ||
| #3718 | Easy Media Download | 49 | 20 | 15 | 9k+ | Output is not escaped | ||
| #3719 | Easy Property Listings | 49 | 60 | 66 | 5k+ | wp function not compatible with requires wp | ||
| #3720 | Import into Easy Property Listings | 49 | 335 | 24 | 1k+ | Text Domain Mismatch | ||
| #3721 | GamiPress – Multimedia Content | 49 | 11 | 25 | 500 | Nonce verification recommended | ||
| #3722 | Ecommerce Fabrick | 49 | 4 | 135 | 1k+ | Nonce verification recommended | ||
| #3723 | Tag Pilot FREE – Google Tag Manager Integration for WooCommerce | 49 | 33 | 19 | 1k+ | Output is not escaped | ||
| #3724 | HT Feed | 49 | 76 | 11 | 700 | Output is not escaped | ||
| #3725 | Web Icons | 49 | 51 | 10 | 1k+ | Output is not escaped | ||
| #3726 | OneClick Chat to Order | 49 | 677 | 41 | 40k+ | Text Domain Mismatch | ||
| #3727 | ReCrawler | 49 | 10 | 40 | 4k+ | Direct Query | ||
| #3728 | Registered Users Only | 49 | 14 | 14 | 2k+ | Unsafe printing function | ||
| #3729 | Search in Place | 49 | 74 | 57 | 3k+ | wp function not compatible with requires wp | ||
| #3730 | Secondary Product Image for WooCommerce | 49 | 25 | 29 | 2k+ | Output is not escaped | ||
| #3731 | Songkick Concerts and Festivals | 49 | 9 | 48 | 500 | Input is not sanitized | ||
| #3732 | Stop Pinging Yourself | 49 | 47 | 8 | 600 | Non Singular String Literal Domain | ||
| #3733 | UiCore Animate – Free Animations, Transitions, and Interactions Addon for Elementor & Gutenberg blocks | 49 | 34 | 38 | 40k+ | Missing direct file access protection | ||
| #3734 | Users by Date Registered | 49 | 13 | 20 | 1k+ | Nonce verification recommended | ||
| #3735 | PDF Invoices & Packing Slips for WooCommerce – Challan | 49 | 56 | 151 | 4k+ | Non-prefixed global variable | ||
| #3736 | Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit | 49 | 5 | 145 | 1k+ | Missing nonce verification | ||
| #3737 | Product Slider, Product Grid, Product Masonry | 49 | 55 | 144 | 10k+ | wp function not compatible with requires wp | ||
| #3738 | WP Sitemap Page | 49 | 43 | 14 | 200k+ | Missing Translators Comment | ||
| #3739 | WP Smart Import : Import any XML File to WordPress | 49 | 28 | 302 | 1k+ | Non-prefixed global variable | ||
| #3740 | WP User Groups | 49 | 44 | 32 | 600 | Missing Translators Comment | ||
| #3741 | Booster for WPForms | 50 | 79 | 45 | 700 | Text Domain Mismatch | ||
| #3742 | BuddyPress Groups Extras | 50 | 30 | 51 | 400 | Missing direct file access protection | ||
| #3743 | Page Builder Gutenberg Blocks – CoBlocks | 50 | 167 | 36 | 300k+ | block api version too low | ||
| #3744 | Customize Tawk.to Widget | 50 | 21 | 28 | 500 | Request data is not unslashed | ||
| #3745 | Disable Site | 50 | 26 | 3 | 4k+ | Output is not escaped | ||
| #3746 | Block IPs for Gravity Forms | 50 | 8 | 36 | 1k+ | Request data is not unslashed | ||
| #3747 | Headline Analyzer | 50 | 13 | 31 | 1k+ | Nonce verification recommended | ||
| #3748 | HT Slider For Elementor | 50 | 884 | 40 | 20k+ | Text Domain Mismatch | ||
| #3749 | IMGspider – 图片采集抓取插件 | 50 | 12 | 49 | 2k+ | Missing nonce verification | ||
| #3750 | Custom Block Builder – Lazy Blocks | 50 | 23 | 51 | 20k+ | Non-prefixed hook name |