WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3801 | REST API Log | 51 | 44 | 95 | 5k+ | Non-prefixed hook name | ||
| #3802 | YayMail – WooCommerce Email Customizer | 51 | 163 | 788 | 50k+ | Non-prefixed global variable | ||
| #3803 | Affiliate Area Shortcodes by AffiliateWP | 52 | 56 | 16 | 2k+ | Text Domain Mismatch | ||
| #3804 | Check Pincode For WooCommerce | 52 | 55 | 400 | Direct Query | |||
| #3805 | Debug This | 52 | 43 | 32 | 2k+ | Missing Translators Comment | ||
| #3806 | Formstack Online Forms | 52 | 39 | 20 | 1k+ | Output is not escaped | ||
| #3807 | Request a Quote for WooCommerce – Get a Quote Button | 52 | 25 | 12 | 6k+ | Output is not escaped | ||
| #3808 | Hangul font nanumgothic – google | 52 | 35 | 16 | 1k+ | Output is not escaped | ||
| #3809 | Post Notification by Email | 52 | 36 | 13 | 2k+ | Output is not escaped | ||
| #3810 | Plugins Load Order | 52 | 32 | 16 | 500 | Non Singular String Literal Domain | ||
| #3811 | Podium | 52 | 21 | 23 | 5k+ | Missing direct file access protection | ||
| #3812 | Product Bundles – Variation Bundles | 52 | 23 | 13 | 600 | Output is not escaped | ||
| #3813 | SEOWriting | 52 | 10 | 24 | 30k+ | Output is not escaped | ||
| #3814 | SKU Generator for WooCommerce | 52 | 29 | 12 | 2k+ | Output is not escaped | ||
| #3815 | Starbox – the Author Box for Humans | 52 | 144 | 19 | 10k+ | Non Singular String Literal Domain | ||
| #3816 | Custom Post Template By Templatic | 52 | 19 | 14 | 700 | Text Domain Mismatch | ||
| #3817 | WPVibe – MCP Server for WordPress. Connect Claude, ChatGPT, Gemini & Cursor | 52 | 19 | 58 | 4k+ | Interpolated SQL is not prepared | ||
| #3818 | Notiqoo – Order Notification & Customer Chat for WooCommerce | 52 | 11 | 187 | 1k+ | Non-prefixed global variable | ||
| #3819 | Wenprise Pinyin Slug | 52 | 30 | 34 | 4k+ | Text Domain Mismatch | ||
| #3820 | which template file | 52 | 19 | 12 | 4k+ | Output is not escaped | ||
| #3821 | Add to Cart Custom Redirect for WooCommerce | 52 | 33 | 13 | 2k+ | Text Domain Mismatch | ||
| #3822 | Price Based on Country for WooCommerce | 52 | 43 | 126 | 20k+ | Non-prefixed hook name | ||
| #3823 | Products Per Page for WooCommerce | 52 | 22 | 28 | 10k+ | Output is not escaped | ||
| #3824 | WP Eventbrite Embedded Checkout | 52 | 49 | 7 | 700 | Text Domain Mismatch | ||
| #3825 | WP Hooks Finder | 52 | 27 | 31 | 1k+ | Output is not escaped | ||
| #3826 | WP Secure Maintenance | 52 | 28 | 18 | 1k+ | Output is not escaped | ||
| #3827 | Bg RuTube Embed | 53 | 19 | 21 | 1k+ | Unsafe printing function | ||
| #3828 | Bulk Actions Select All | 53 | 26 | 22 | 800 | Text Domain Mismatch | ||
| #3829 | Disable Comments – Remove Comments & Stop Spam [Multi-Site Support] | 53 | 15 | 46 | 1m+ | Non-prefixed global variable | ||
| #3830 | Download PDF After Submit Form | 53 | 2 | 45 | 500 | Input is not sanitized | ||
| #3831 | Export Custom Pages | 53 | 22 | 19 | 700 | Output is not escaped | ||
| #3832 | FakerPress | 53 | 66 | 152 | 10k+ | Non-prefixed global variable | ||
| #3833 | File Manager | 53 | 41 | 68 | 10k+ | Missing direct file access protection | ||
| #3834 | International Telephone Input for Contact Form 7 | 53 | 18 | 10 | 8k+ | Missing direct file access protection | ||
| #3835 | LearnPress – bbPress Integration | 53 | 19 | 14 | 2k+ | Output is not escaped | ||
| #3836 | MOBILOOK — Mobile View & Mobile‑Friendly Test | 53 | 10 | 20 | 1k+ | Missing nonce verification | ||
| #3837 | Multiple Post Thumbnails | 53 | 25 | 18 | 20k+ | Output is not escaped | ||
| #3838 | ONTRApages | 53 | 16 | 27 | 1k+ | Output is not escaped | ||
| #3839 | Post Type Converter | 53 | 5 | 28 | 1k+ | Nonce verification recommended | ||
| #3840 | Preserved HTML Editor Markup | 53 | 12 | 22 | 600 | Output is not escaped | ||
| #3841 | Preserved HTML Editor Markup Plus | 53 | 12 | 22 | 3k+ | Output is not escaped | ||
| #3842 | pretix widget | 53 | 25 | 39 | 400 | Non-prefixed global variable | ||
| #3843 | Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely | 53 | 34 | 90 | 20k+ | Database parameter is not escaped | ||
| #3844 | Shamor | 53 | 55 | 12 | 400 | wp function not compatible with requires wp | ||
| #3845 | Simple Blog Stats | 53 | 25 | 76 | 4k+ | Non-prefixed function | ||
| #3846 | Simple Copy Post Button | 53 | 14 | 24 | 400 | Input is not sanitized | ||
| #3847 | Skroutz Analytics for WooCommerce | 53 | 57 | 15 | 1k+ | Text Domain Mismatch | ||
| #3848 | Social Media Widget | 53 | 90 | 21 | 30k+ | Text Domain Mismatch | ||
| #3849 | Texty – SMS Notification for WordPress, WooCommerce, Dokan and more | 53 | 31 | 34 | 8k+ | Output is not escaped | ||
| #3850 | Morning for WooCommerce | 53 | 7 | 59 | 1k+ | Non-prefixed global variable |