WordPress.Security.NonceVerification.Recommended

Nonce verification recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical weight

Why It Shows Up

The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.

Why It Matters

Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.

How to Fix

  • For admin forms and action links, add and verify a nonce.
  • For AJAX handlers, use `check_ajax_referer()`.
  • For public read-only endpoints, document why a nonce is not required and keep input validation strict.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4151CP Media Player – Audio Player and Video Player66224483k+Text Domain Mismatch
#4152WPAdmin AWS CDN6616142400Text Domain Mismatch
#4153Bopo – WooCommerce Product Bundle Builder661371351k+Text Domain Mismatch
#4154Calculated fields for ACF665181k+Non-prefixed global variable
#4155Cookie Warning661415700Non-prefixed function
#4156Custom Login Page Templates – Change Logo, Background and CSS662552k+Missing Arg Domain
#4157Easy PHP Settings6634481k+Missing Translators Comment
#4158Elementic66229900Text Domain Mismatch
#4159Export Categories6622131k+Output is not escaped
#4160Goaffpro Affiliate Marketing666284k+Nonce verification recommended
#4161IranDargah Payment Gateway for Woocommerce666626400Text Domain Mismatch
#4162Product Code for WooCommerce6613541k+Missing direct file access protection
#4163Product Size Chart For WooCommerce669226k+Non-prefixed hook name
#4164Safe Redirect Manager6696040k+Non-prefixed hook name
#4165Seed Fonts66291120k+Output is not escaped
#4166Shortcode for Current Date66271210k+Text Domain Mismatch
#4167TAO Schedule Update6637112k+Text Domain Mismatch
#4168User Profile Picture66984k+Missing nonce verification
#4169Ajax add to cart for WooCommerce66673110k+Text Domain Mismatch
#4170WP Anti-Clickjack664424k+Nonce verification recommended
#4171WP Multisite User Sync/Unsync661531700Missing Arg Domain
#4172WP Term Images664182k+Nonce verification recommended
#4173Video Popup for Elementor – WPTD6633131k+Output is not escaped
#4174Raptive Ads6734316k+Text Domain Mismatch
#4175Awesome Contact Form7 for Elementor6720307k+Non-prefixed global variable
#4176CCM19 Integration6714134k+Nonce verification recommended
#4177Custom CSS Pro671767k+Output is not escaped
#4178Duplicate TEC Event671210900date date
#4179Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor67579810k+Non-prefixed global variable
#4180Hide Plugins677151k+Nonce verification recommended
#4181Kraken.io Image Optimizer – Compress, Convert to WebP & AVIF, Resize & Bulk Optimize67293809k+Text Domain Mismatch
#4182Leadster676104k+Non-prefixed function
#4183Mailster Gmail Integration6715131k+Missing Translators Comment
#4184Meks Audio Player672571k+Output is not escaped
#4185Mosaic Gallery – Advanced Gallery6745793k+Non-prefixed global variable
#4186Multilingual Forms for Fluent Forms with WPML6752161k+Text Domain Mismatch
#4187onOffice for WP-Websites6755071k+Non-prefixed global variable
#4188Printful Integration for WooCommerce672187650k+Text Domain Mismatch
#4189Recurio – Ultimate Subscription for WooCommerce673111k+Direct Query
#4190Safelayout Elegant Icons – WordPress icons67317700Input is not validated
#4191Simple HTTPS671713400Output is not escaped
#4192Cart links for WooCommerce671316500Text Domain Mismatch
#4193BitPay Gateway for WooCommerce676421400Text Domain Mismatch
#4194Payment Gateway for Cpay with WooCommerce676726400wp function not compatible with requires wp
#4195Webyx for Elementor – Fullpage Fullscreen Scrolling Websites6768410500Non Singular String Literal Domain
#4196WP Image Zoom67304610k+Non-prefixed global variable
#4197WP SMTP Mailer – SMTP7672339k+Request data is not unslashed
#4198WP Notification Bars67133210k+Request data is not unslashed
#4199WP Post Branches6716124k+Nonce verification recommended
#4200Auto Image Title & Alt68134400Missing direct file access protection