WordPress.Security.NonceVerification.Missing

Missing nonce verification

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical weight

Why It Shows Up

The scan found `$_GET`, `$_POST`, or similar request data in a context where a nonce check is expected but missing.

Why It Matters

Without nonce verification, an attacker may be able to trick a logged-in user into submitting an unwanted state-changing request.

How to Fix

Add a nonce to the form, link, AJAX request, or REST request.
Verify it with `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before changing state.
Keep capability checks separate; nonces prove intent, not permission.

References

WordPress nonces

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Updated	Top Issue
#1	BulletProof Security	0	5,048	4,949	20k+	1 month ago	Output Not Escaped
#2	Plugin Check (PCP)	0	128	132	10k+	23 days ago	Exception Not Escaped
#3	Themify Builder	9	5,195	2,096	5k+	5 days ago	Text Domain Mismatch
#4	JetBackup – Backup, Restore & Migrate	10	1,559	145	100k+	2 months ago	Exception Not Escaped
#5	Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more	15	32	163	500k+	3 months ago	Direct Query
#6	AnyComment	17	445	449	5k+	4 years ago	Output Not Escaped
#7	wpForo Forum	17	4,033	2,922	20k+	21 days ago	Unsafe Printing Function
#8	WPtouch – Make your WordPress Website Mobile-Friendly	17	1,466	325	50k+	7 months ago	Text Domain Mismatch
#9	Prime Slider Addons for Elementor	18	3,500	230	100k+	6 days ago	Text Domain Mismatch
#10	WP Import Export Lite	18	738	979	40k+	11 months ago	Non Prefixed Variable Found
#11	Element Pack – Widgets, Templates & Addons for Elementor	19	9,448	517	100k+	5 days ago	Text Domain Mismatch
#12	Download Monitor	19	425	1,364	80k+	5 days ago	Non Prefixed Hookname Found
#13	Event Organiser	19	1,106	544	20k+	2 years ago	Text Domain Mismatch
#14	Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution	19	1,218	901	100k+	12 days ago	Exception Not Escaped
#15	Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)	19	3,275	3,228	10k+	7 months ago	Output Not Escaped
#16	Matomo Analytics – Powerful, Privacy-First Insights for WordPress	19	1,909	878	100k+	5 days ago	Exception Not Escaped
#17	Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization	19	1,295	2,679	9k+	6 days ago	Output Not Escaped
#18	Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)	19	541	385	3m+	4 days ago	Missing Translators Comment
#19	Membership Plugin – Kadence Memberships	19	5,082	2,982	9k+	26 days ago	Text Domain Mismatch
#20	SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments	19	526	1,119	90k+	5 days ago	Non Prefixed Variable Found
#21	BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot	20	508	1,406	30k+	3 days ago	Non Prefixed Variable Found
#22	Brizy – Page Builder	20	589	720	70k+	12 days ago	Output Not Escaped
#23	Filter Everything — WordPress & WooCommerce Filters	20	568	730	50k+	3 days ago	Output Not Escaped
#24	GiveWP – Donation Plugin and Fundraising Platform	20	3,435	3,580	100k+	6 days ago	Output Not Escaped
#25	Link Library	20	1,941	1,397	10k+	2 months ago	Unsafe Printing Function
#26	Brevo – Email, SMS, Web Push, Chat, and more.	20	460	646	100k+	2 months ago	Missing Unslash
#27	Microthemer Lite – Visual Editor to Customize CSS	20	1,004	1,699	10k+	2 months ago	Non Prefixed Variable Found
#28	Nimble Page Builder	20	1,591	1,684	30k+	1 year ago	Missing Arg Domain
#29	Pix por Piggly (para Woocommerce)	20	547	195	4k+	2 years ago	Exception Not Escaped
#30	Remove Add to Cart WooCommerce	20	616	1,378	4k+	8 months ago	Non Prefixed Variable Found
#31	Robin Image Optimizer – Unlimited Image Optimization, WebP & AVIF	20	557	541	100k+	1 month ago	Output Not Escaped
#32	Razorpay for WooCommerce	20	974	855	100k+	2 days ago	Non Prefixed Function Found
#33	WPJAM Basic	20	328	356	4k+	5 days ago	Output Not Escaped
#34	Store Locator WordPress	21	2,372	1,572	10k+	18 days ago	Text Domain Mismatch
#35	Backup Migration	21	981	1,093	80k+	16 days ago	Non Prefixed Variable Found
#36	bbPress	21	929	3,672	100k+	12 months ago	Non Prefixed Function Found
#37	Captcha Them All	21	300	323	6k+	3 years ago	Output Not Escaped
#38	Smart Grid-Layout Design for Contact Form 7	21	1,126	734	10k+	1 month ago	Output Not Escaped
#39	Comet Cache	21	857	245	20k+	12 months ago	Output Not Escaped
#40	Cost Calculator Builder	21	322	765	30k+	2 days ago	Non Prefixed Variable Found
#41	Free Downloads WooCommerce	21	430	359	4k+	1 month ago	Output Not Escaped
#42	Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More	21	2,572	1,277	1m+	1 month ago	Output Not Escaped
#43	Envo Extra	21	878	600	20k+	25 days ago	Text Domain Mismatch
#44	eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams	21	186	437	9k+	2 months ago	Non Prefixed Variable Found
#45	ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support	21	829	5,966	5k+	3 days ago	Direct Query
#46	EventPrime – Events Calendar, Bookings and Tickets	21	872	4,297	7k+	yesterday	Non Prefixed Variable Found
#47	Feeds for YouTube (YouTube video, channel, and gallery plugin)	21	558	978	100k+	11 days ago	Output Not Escaped
#48	FileOrganizer – WordPress File Manager	21	536	241	200k+	11 days ago	unlink unlink
#49	If-So Dynamic Content – Elementor & All Page Builders Personalization	21	889	725	7k+	24 days ago	Unsafe Printing Function
#50	Imagify: Optimize Images for Top Speed (Compress & Convert to WebP/AVIF)	21	418	851	1m+	20 days ago	Non Prefixed Variable Found