This is the code that is generating that message [1] as you can see, it checks if the global PHP variable $_POST is present and not empty (which only happens when you send a HTTP request using the POST method) then proceeds to check if the “sucuriscan_page_nonce” parameter is present in the request, it fails if the parameter is not present or if the value differs from the expected value to protect the forms against CSRF attacks.
When you click the links in the menu, you are sending a GET request to the server so this code will not execute, it only runs when you submit data via a form. Considering this, there is only one reason to justify the appearance of that message: another plugin or theme is pushing data into the global POST variable even when the request is via GET.
Compare the setup of one of the websites where the plugin works with the setup in this website where the plugin is showing that message. Any difference, including not only active but also installed plugins, themes and widgets is relevant. Make sure that they are configured the same way, then test again, I am pretty sure that the problem is in one of the plugins/themes that you have installed.
Alternatively, but this is very rare, your web server may be misconfigured and is duplicating the data from the GET request into other global variables like REQUEST which is also taken in consideration by POST, in this case you will have to communicate with your hosting provider to fix the issue.
Marking as resolved for now, feel free to re-open if you need more information.
[1] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/b1e8647/src/interface.lib.php#L240-L263
