WordPress.WP.AlternativeFunctions.rand_mt_rand
rand mt rand
The plugin uses a random function that may not be appropriate for the task.
Why It Shows Up
The scan found functions such as `rand()`, `mt_rand()`, `srand()`, or `mt_srand()`.
Why It Matters
General random functions are not suitable for security-sensitive tokens and manual seeding can reduce randomness.
How to Fix
- Use `wp_rand()` for ordinary WordPress randomness.
- Use PHP cryptographic randomness for security-sensitive tokens.
- Avoid manual random seeding unless there is a narrow, documented reason.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1 | JetBackup – Backup, Restore & Migrate | 10 | 1,559 | 145 | 100k+ | Exception output is not escaped | ||
| #2 | Efí Bank | 17 | 886 | 553 | 400 | Exception output is not escaped | ||
| #3 | wpForo Forum | 17 | 4,033 | 2,922 | 20k+ | Unsafe printing function | ||
| #4 | WPtouch – Make your WordPress Website Mobile-Friendly | 17 | 1,466 | 325 | 50k+ | Text Domain Mismatch | ||
| #5 | Shopping Cart & eCommerce Store | 18 | 5,459 | 17,298 | 4k+ | Non-prefixed global variable | ||
| #6 | WP Directory Kit | 18 | 2,119 | 2,617 | 2k+ | Non-prefixed global variable | ||
| #7 | Element Pack – Widgets, Templates & Addons for Elementor | 19 | 9,448 | 517 | 100k+ | Text Domain Mismatch | ||
| #8 | Download Monitor | 19 | 425 | 1,364 | 80k+ | Non-prefixed hook name | ||
| #9 | Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution | 19 | 1,218 | 901 | 100k+ | Exception output is not escaped | ||
| #10 | Realtyna Organic IDX plugin + WPL Real Estate | 19 | 947 | 3,653 | 2k+ | Non-prefixed global variable | ||
| #11 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 541 | 385 | 3m+ | Missing Translators Comment | ||
| #12 | Membership Plugin – Kadence Memberships | 19 | 5,082 | 2,982 | 9k+ | Text Domain Mismatch | ||
| #13 | Scrollsequence – Cinematic Scroll Image Animation Plugin | 19 | 878 | 1,528 | 4k+ | Non-prefixed global variable | ||
| #14 | SendPress Newsletters | 19 | 2,293 | 1,422 | 2k+ | Output is not escaped | ||
| #15 | WP Import Export Lite | 19 | 737 | 979 | 40k+ | Non-prefixed global variable | ||
| #16 | WPOSS阿里云对象存储 | 19 | 269 | 315 | 1k+ | Non-prefixed namespace | ||
| #17 | WPQiNiu七牛云对象存储 | 19 | 138 | 612 | 400 | Non-prefixed global variable | ||
| #18 | SysBasics Customize My Account for WooCommerce – Live My Account Customizer | 20 | 875 | 909 | 8k+ | Non-prefixed global variable | ||
| #19 | Event Espresso – Event Registration & Ticketing Sales | 20 | 12,698 | 2,135 | 600 | Text Domain Mismatch | ||
| #20 | GiveWP – Donation Plugin and Fundraising Platform | 20 | 3,435 | 3,575 | 100k+ | Output is not escaped | ||
| #21 | GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership | 20 | 1,832 | 720 | 800 | Non Singular String Literal Domain | ||
| #22 | Leaky Paywall | 20 | 320 | 782 | 700 | Nonce verification recommended | ||
| #23 | MBE eShip | 20 | 527 | 740 | 1k+ | Non-prefixed global variable | ||
| #24 | Brevo – Email, SMS, Web Push, Chat, and more. | 20 | 460 | 646 | 100k+ | Request data is not unslashed | ||
| #25 | Microthemer Lite – Visual Editor to Customize CSS | 20 | 1,004 | 1,699 | 10k+ | Non-prefixed global variable | ||
| #26 | Nimble Page Builder | 20 | 1,591 | 1,684 | 30k+ | Missing Arg Domain | ||
| #27 | پلاگین پرداخت دلخواه | 20 | 584 | 446 | 900 | Text Domain Mismatch | ||
| #28 | Pix por Piggly (para Woocommerce) | 20 | 547 | 195 | 4k+ | Exception output is not escaped | ||
| #29 | Events Manager – OpenStreetMaps | 20 | 559 | 444 | 700 | Output is not escaped | ||
| #30 | Razorpay for WooCommerce | 20 | 974 | 855 | 100k+ | Non-prefixed function | ||
| #31 | WPJAM Basic | 20 | 328 | 356 | 4k+ | Output is not escaped | ||
| #32 | Backup Migration | 21 | 981 | 1,093 | 80k+ | Non-prefixed global variable | ||
| #33 | Forumax – AI Powered Advanced Community Forum Plugin | 21 | 4,936 | 4,357 | 600 | Text Domain Mismatch | ||
| #34 | bbPress | 21 | 929 | 3,672 | 100k+ | Non-prefixed function | ||
| #35 | Pinpoint Booking System – Version 2 | 21 | 634 | 328 | 3k+ | Missing direct file access protection | ||
| #36 | Booking Ultra Pro Appointments Booking Calendar Plugin | 21 | 761 | 2,083 | 400 | Request data is not unslashed | ||
| #37 | Captcha Them All | 21 | 300 | 323 | 6k+ | Output is not escaped | ||
| #38 | Smart Grid-Layout Design for Contact Form 7 | 21 | 1,126 | 734 | 10k+ | Output is not escaped | ||
| #39 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | Output is not escaped | ||
| #40 | Ebook Store | 21 | 666 | 1,087 | 700 | Non-prefixed global variable | ||
| #41 | ERP: Complete HR, Recruitment, Accounting & CRM Suite with WooCommerce CRM Support | 21 | 829 | 5,966 | 5k+ | Direct Query | ||
| #42 | EventPrime – Events Calendar, Bookings and Tickets | 21 | 872 | 4,297 | 7k+ | Non-prefixed global variable | ||
| #43 | FileOrganizer – WordPress File Manager | 21 | 536 | 241 | 200k+ | unlink unlink | ||
| #44 | Formidable Forms – WordPress Form Builder for Contact Forms, Calculators, Quizzes & More | 21 | 52 | 1,959 | 300k+ | Non-prefixed global variable | ||
| #45 | Frontend Dashboard | 21 | 384 | 945 | 500 | Non-prefixed function | ||
| #46 | Mooberry Book Manager | 21 | 1,040 | 399 | 1k+ | Text Domain Mismatch | ||
| #47 | MotoPress Hotel Booking | 21 | 3,061 | 1,037 | 10k+ | Text Domain Mismatch | ||
| #48 | OneLogin SAML SSO | 21 | 508 | 330 | 7k+ | wp function not compatible with requires wp | ||
| #49 | Packeta | 21 | 802 | 333 | 8k+ | Exception output is not escaped | ||
| #50 | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction | 21 | 1,918 | 5,065 | 10k+ | Non-prefixed hook name |
