WordPress.Security.NonceVerification.Recommended
Nonce verification recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Why It Shows Up
The scan saw request handling that may not always mutate state, but still looks like a user-triggered action that should usually be protected by a nonce.
Why It Matters
Adding a nonce reduces accidental or forged requests and documents that the action is expected to originate from the plugin UI.
How to Fix
- For admin forms and action links, add and verify a nonce.
- For AJAX handlers, use `check_ajax_referer()`.
- For public read-only endpoints, document why a nonce is not required and keep input validation strict.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4151 | CP Media Player – Audio Player and Video Player | 66 | 224 | 48 | 3k+ | Text Domain Mismatch | ||
| #4152 | WPAdmin AWS CDN | 66 | 161 | 42 | 400 | Text Domain Mismatch | ||
| #4153 | Bopo – WooCommerce Product Bundle Builder | 66 | 137 | 135 | 1k+ | Text Domain Mismatch | ||
| #4154 | Calculated fields for ACF | 66 | 5 | 18 | 1k+ | Non-prefixed global variable | ||
| #4155 | Cookie Warning | 66 | 14 | 15 | 700 | Non-prefixed function | ||
| #4156 | Custom Login Page Templates – Change Logo, Background and CSS | 66 | 25 | 5 | 2k+ | Missing Arg Domain | ||
| #4157 | Easy PHP Settings | 66 | 34 | 48 | 1k+ | Missing Translators Comment | ||
| #4158 | Elementic | 66 | 22 | 9 | 900 | Text Domain Mismatch | ||
| #4159 | Export Categories | 66 | 22 | 13 | 1k+ | Output is not escaped | ||
| #4160 | Goaffpro Affiliate Marketing | 66 | 6 | 28 | 4k+ | Nonce verification recommended | ||
| #4161 | IranDargah Payment Gateway for Woocommerce | 66 | 66 | 26 | 400 | Text Domain Mismatch | ||
| #4162 | Product Code for WooCommerce | 66 | 13 | 54 | 1k+ | Missing direct file access protection | ||
| #4163 | Product Size Chart For WooCommerce | 66 | 9 | 22 | 6k+ | Non-prefixed hook name | ||
| #4164 | Safe Redirect Manager | 66 | 9 | 60 | 40k+ | Non-prefixed hook name | ||
| #4165 | Seed Fonts | 66 | 29 | 11 | 20k+ | Output is not escaped | ||
| #4166 | Shortcode for Current Date | 66 | 27 | 12 | 10k+ | Text Domain Mismatch | ||
| #4167 | TAO Schedule Update | 66 | 37 | 11 | 2k+ | Text Domain Mismatch | ||
| #4168 | User Profile Picture | 66 | 9 | 8 | 4k+ | Missing nonce verification | ||
| #4169 | Ajax add to cart for WooCommerce | 66 | 67 | 31 | 10k+ | Text Domain Mismatch | ||
| #4170 | WP Anti-Clickjack | 66 | 4 | 42 | 4k+ | Nonce verification recommended | ||
| #4171 | WP Multisite User Sync/Unsync | 66 | 15 | 31 | 700 | Missing Arg Domain | ||
| #4172 | WP Term Images | 66 | 4 | 18 | 2k+ | Nonce verification recommended | ||
| #4173 | Video Popup for Elementor – WPTD | 66 | 33 | 13 | 1k+ | Output is not escaped | ||
| #4174 | Raptive Ads | 67 | 34 | 31 | 6k+ | Text Domain Mismatch | ||
| #4175 | Awesome Contact Form7 for Elementor | 67 | 20 | 30 | 7k+ | Non-prefixed global variable | ||
| #4176 | CCM19 Integration | 67 | 14 | 13 | 4k+ | Nonce verification recommended | ||
| #4177 | Custom CSS Pro | 67 | 17 | 6 | 7k+ | Output is not escaped | ||
| #4178 | Duplicate TEC Event | 67 | 12 | 10 | 900 | date date | ||
| #4179 | Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor | 67 | 57 | 98 | 10k+ | Non-prefixed global variable | ||
| #4180 | Hide Plugins | 67 | 7 | 15 | 1k+ | Nonce verification recommended | ||
| #4181 | Kraken.io Image Optimizer – Compress, Convert to WebP & AVIF, Resize & Bulk Optimize | 67 | 293 | 80 | 9k+ | Text Domain Mismatch | ||
| #4182 | Leadster | 67 | 6 | 10 | 4k+ | Non-prefixed function | ||
| #4183 | Mailster Gmail Integration | 67 | 15 | 13 | 1k+ | Missing Translators Comment | ||
| #4184 | Meks Audio Player | 67 | 25 | 7 | 1k+ | Output is not escaped | ||
| #4185 | Mosaic Gallery – Advanced Gallery | 67 | 45 | 79 | 3k+ | Non-prefixed global variable | ||
| #4186 | Multilingual Forms for Fluent Forms with WPML | 67 | 52 | 16 | 1k+ | Text Domain Mismatch | ||
| #4187 | onOffice for WP-Websites | 67 | 5 | 507 | 1k+ | Non-prefixed global variable | ||
| #4188 | Printful Integration for WooCommerce | 67 | 218 | 76 | 50k+ | Text Domain Mismatch | ||
| #4189 | Recurio – Ultimate Subscription for WooCommerce | 67 | 311 | 1k+ | Direct Query | |||
| #4190 | Safelayout Elegant Icons – WordPress icons | 67 | 3 | 17 | 700 | Input is not validated | ||
| #4191 | Simple HTTPS | 67 | 17 | 13 | 400 | Output is not escaped | ||
| #4192 | Cart links for WooCommerce | 67 | 13 | 16 | 500 | Text Domain Mismatch | ||
| #4193 | BitPay Gateway for WooCommerce | 67 | 64 | 21 | 400 | Text Domain Mismatch | ||
| #4194 | Payment Gateway for Cpay with WooCommerce | 67 | 67 | 26 | 400 | wp function not compatible with requires wp | ||
| #4195 | Webyx for Elementor – Fullpage Fullscreen Scrolling Websites | 67 | 684 | 10 | 500 | Non Singular String Literal Domain | ||
| #4196 | WP Image Zoom | 67 | 30 | 46 | 10k+ | Non-prefixed global variable | ||
| #4197 | WP SMTP Mailer – SMTP7 | 67 | 2 | 33 | 9k+ | Request data is not unslashed | ||
| #4198 | WP Notification Bars | 67 | 13 | 32 | 10k+ | Request data is not unslashed | ||
| #4199 | WP Post Branches | 67 | 16 | 12 | 4k+ | Nonce verification recommended | ||
| #4200 | Auto Image Title & Alt | 68 | 13 | 4 | 400 | Missing direct file access protection |