WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4101 | Slightly troublesome permalink | 63 | 24 | 10 | 1k+ | Non Singular String Literal Domain | ||
| #4102 | Contact Form to Chat Apps | Click to Chat to Order – FormyChat | 63 | 30 | 134 | 3k+ | Direct Query | ||
| #4103 | Review & testimonial widgets | 63 | 62 | 9 | 1k+ | Text Domain Mismatch | ||
| #4104 | User Switching | 63 | 2 | 47 | 200k+ | Nonce verification recommended | ||
| #4105 | PayPing Gateway For Woocommerce | 63 | 11 | 40 | 1k+ | Non-prefixed hook name | ||
| #4106 | Admin filter posts by year | 64 | 8 | 32 | 400 | Non-prefixed function | ||
| #4107 | Advanced Marquee Effect for Elementor | 64 | 13 | 10 | 2k+ | Output is not escaped | ||
| #4108 | Comment Blacklist Manager | 64 | 14 | 8 | 600 | Output is not escaped | ||
| #4109 | Custom Fields Account Registration For Woocommerce | 64 | 40 | 700 | Missing nonce verification | |||
| #4110 | Disabler | 64 | 212 | 38 | 900 | Text Domain Mismatch | ||
| #4111 | DoFollow Case by Case | 64 | 4 | 60 | 1k+ | Direct Query | ||
| #4112 | Dotdigital for WordPress | 64 | 41 | 123 | 400 | Dynamic hook name | ||
| #4113 | Easy Duplicate Woo Order | 64 | 17 | 10 | 1k+ | Unsafe printing function | ||
| #4114 | Evermore | 64 | 8 | 12 | 1k+ | Input is not validated | ||
| #4115 | Favicon XT-Manager | 64 | 9 | 12 | 2k+ | Output is not escaped | ||
| #4116 | Icon Element – Icon Pack for Elementor Page Builder (6718 icons) | 64 | 30 | 16 | 40k+ | wp function not compatible with requires wp | ||
| #4117 | Online Payments with iK Pay Gateway | 64 | 12 | 28 | 1k+ | Missing nonce verification | ||
| #4118 | Image Hover Effects – Elementor Addon | 64 | 117 | 7 | 40k+ | Text Domain Mismatch | ||
| #4119 | Integrate Firebase | 64 | 26 | 7 | 500 | Output is not escaped | ||
| #4120 | Inline Related Posts | 64 | 17 | 39 | 100k+ | Nonce verification recommended | ||
| #4121 | Meks Easy Social Share | 64 | 26 | 3 | 10k+ | Output is not escaped | ||
| #4122 | Moosend Website Connector | 64 | 15 | 12 | 1k+ | Non Singular String Literal Domain | ||
| #4123 | MultiSafepay plugin for WooCommerce | 64 | 13 | 35 | 2k+ | Missing nonce verification | ||
| #4124 | Product Import Export for WooCommerce – Import Export Product CSV Suite | 64 | 246 | 766 | 80k+ | Non-prefixed global variable | ||
| #4125 | Retrigger Notifications Gravity Forms | 64 | 55 | 8 | 1k+ | Text Domain Mismatch | ||
| #4126 | Send From | 64 | 5 | 18 | 500 | Input is not sanitized | ||
| #4127 | SMK Sidebar Generator | 64 | 19 | 5 | 10k+ | Output is not escaped | ||
| #4128 | Sticky Side Buttons | 64 | 27 | 4 | 10k+ | Unsafe printing function | ||
| #4129 | WProofreader spell & grammar check plugin for WordPress | 64 | 12 | 43 | 4k+ | Non-prefixed global variable | ||
| #4130 | Werk aan de Muur | 64 | 48 | 20 | 900 | Non Singular String Literal Domain | ||
| #4131 | WP Login Door | 64 | 19 | 11 | 400 | Output is not escaped | ||
| #4132 | WP REST API Controller | 64 | 8 | 22 | 8k+ | Nonce verification recommended | ||
| #4133 | WP Search with Algolia | 64 | 27 | 16 | 7k+ | Missing direct file access protection | ||
| #4134 | WP Term Order | 64 | 2 | 26 | 6k+ | Nonce verification recommended | ||
| #4135 | Authorizer | 65 | 3 | 54 | 5k+ | Nonce verification recommended | ||
| #4136 | Contact Form 7 – Success Page Redirects | 65 | 5 | 15 | 10k+ | Input is not sanitized | ||
| #4137 | Custom Product Tabs for WooCommerce WP All Import Add-on | 65 | 18 | 18 | 1k+ | Non-prefixed global variable | ||
| #4138 | Cyr to Lat Reloaded – Transliteration of Links and File Names | 65 | 13 | 36 | 30k+ | Direct Query | ||
| #4139 | Disable REST API | 65 | 12 | 15 | 80k+ | Output is not escaped | ||
| #4140 | EDD Hide Download | 65 | 13 | 13 | 600 | Output is not escaped | ||
| #4141 | Genesis Visual Hook Guide | 65 | 13 | 14 | 700 | Nonce verification recommended | ||
| #4142 | WP All Import – Import SEO Settings for All In One SEO | 65 | 19 | 11 | 900 | Output is not escaped | ||
| #4143 | Integration for Elementor forms – Sendinblue | 65 | 94 | 56 | 7k+ | Text Domain Mismatch | ||
| #4144 | Product Image and Video Gallery Slider for WooCommerce | 65 | 13 | 7 | 700 | Output is not escaped | ||
| #4145 | T4B News Ticker – Responsive News Scroller, Slider, and Animations | 65 | 20 | 10 | 7k+ | Output is not escaped | ||
| #4146 | Web and WooCommerce Addons for WPBakery Builder | 65 | 497 | 123 | 1k+ | Text Domain Mismatch | ||
| #4147 | AI Product Gallery Slider for WooCommerce, Product Image Zoom, Product Video, Additional Variation Images Gallery – WPBean | 65 | 264 | 16 | 1k+ | Text Domain Mismatch | ||
| #4148 | Ajaxify Comments – Ajax and Lazy Loading Comments | 65 | 20 | 38 | 3k+ | Non-prefixed hook name | ||
| #4149 | AC Advanced Flamingo Settings | 66 | 6 | 32 | 700 | Nonce verification recommended | ||
| #4150 | ACF RGBA Color Picker | 66 | 37 | 3 | 6k+ | Text Domain Mismatch |