WordPress.WP.AlternativeFunctions.rand_mt_rand
rand mt rand
The plugin uses a random function that may not be appropriate for the task.
Why It Shows Up
The scan found functions such as `rand()`, `mt_rand()`, `srand()`, or `mt_srand()`.
Why It Matters
General random functions are not suitable for security-sensitive tokens and manual seeding can reduce randomness.
How to Fix
- Use `wp_rand()` for ordinary WordPress randomness.
- Use PHP cryptographic randomness for security-sensitive tokens.
- Avoid manual random seeding unless there is a narrow, documented reason.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #351 | WooCommerce Tax (formerly WooCommerce Shipping & Tax) | 30 | 103 | 198 | 600k+ | Non-prefixed class | ||
| #352 | WP 2FA – Two-factor authentication for WordPress | 30 | 269 | 380 | 100k+ | Exception output is not escaped | ||
| #353 | WP Inventory Manager | 30 | 856 | 233 | 1k+ | Output is not escaped | ||
| #354 | cformsII | 31 | 777 | 536 | 4k+ | Unsafe printing function | ||
| #355 | Customer Email Verification for WooCommerce | 31 | 192 | 290 | 2k+ | Non-prefixed global variable | ||
| #356 | Express Checkout via PayPal for WooCommerce | 31 | 158 | 200 | 800 | Nonce verification recommended | ||
| #357 | RealHomes Stripe Payments | 31 | 202 | 33 | 500 | Exception output is not escaped | ||
| #358 | LWS Tools | 31 | 104 | 134 | 10k+ | Request data is not unslashed | ||
| #359 | Tooltips for WordPress | 31 | 312 | 252 | 5k+ | Output is not escaped | ||
| #360 | Advanced Access Manager – Access Governance for WordPress | 32 | 849 | 62 | 100k+ | Output is not escaped | ||
| #361 | Speed Kit | 32 | 296 | 73 | 2k+ | Output is not escaped | ||
| #362 | Contact Form Block | 32 | 64 | 77 | 500 | Non Singular String Literal Domain | ||
| #363 | Contact Form Builder by vcita | 32 | 666 | 174 | 700 | Text Domain Mismatch | ||
| #364 | DHL eCommerce (Benelux) for WooCommerce | 32 | 222 | 330 | 2k+ | Nonce verification recommended | ||
| #365 | Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages | 32 | 53 | 773 | 9k+ | Nonce verification recommended | ||
| #366 | GSheetConnector For Ninja Forms | 32 | 165 | 93 | 1k+ | Unsafe printing function | ||
| #367 | GSheetConnector For WPForms – WPForms Google Sheets Integration (Real-Time Sync) | 32 | 120 | 145 | 8k+ | Non-prefixed global variable | ||
| #368 | Gwolle Guestbook | 32 | 269 | 527 | 20k+ | Output is not escaped | ||
| #369 | Honeypot Toolkit | 32 | 155 | 770 | 400 | Missing nonce verification | ||
| #370 | Juiz Last Tweet Widget | 32 | 136 | 53 | 500 | Output is not escaped | ||
| #371 | Plugin Organizer | 32 | 326 | 257 | 10k+ | Output is not escaped | ||
| #372 | RSS for Yandex Turbo | 32 | 687 | 307 | 20k+ | Unsafe printing function | ||
| #373 | Showcase IDX Real Estate Search & Lead Capture | 32 | 123 | 52 | 2k+ | Output is not escaped | ||
| #374 | Split Test For Elementor | 32 | 98 | 132 | 3k+ | Non-prefixed global variable | ||
| #375 | Thrive Automator | 32 | 84 | 84 | 10k+ | SQL query is not prepared | ||
| #376 | WP 2-step verification | 32 | 154 | 65 | 1k+ | Output is not escaped | ||
| #377 | WP Weixin | 32 | 60 | 152 | 400 | Non-prefixed constant | ||
| #378 | Gallery Custom Links | 33 | 64 | 62 | 30k+ | Non Singular String Literal Domain | ||
| #379 | GSheetConnector for Forminator Forms | 33 | 128 | 201 | 1k+ | Non-prefixed global variable | ||
| #380 | RSS Feed Pro | 33 | 484 | 16 | 500 | Output is not escaped | ||
| #381 | TrackingMore Order Tracking for WooCommerce (Free plan available) | 33 | 94 | 124 | 700 | Text Domain Mismatch | ||
| #382 | WebToffee WP Backup and Migration | 33 | 132 | 222 | 5k+ | Non-prefixed global variable | ||
| #383 | FluentAuth – The Ultimate Authorization & Security Plugin for WordPress | 34 | 44 | 229 | 10k+ | Nonce verification recommended | ||
| #384 | Hitsteps Web Analytics | 34 | 370 | 313 | 800 | Output is not escaped | ||
| #385 | Meow Analytics (Google Analytics) | 34 | 80 | 54 | 500 | Output is not escaped | ||
| #386 | Meow Lightbox | 34 | 75 | 52 | 10k+ | Non Singular String Literal Domain | ||
| #387 | OTP Login & Register Woocommerce | 34 | 148 | 202 | 1k+ | Missing nonce verification | ||
| #388 | Seriously Simple Stats | 34 | 99 | 126 | 5k+ | Output is not escaped | ||
| #389 | TaxJar – Sales Tax Automation for WooCommerce | 34 | 236 | 170 | 5k+ | Text Domain Mismatch | ||
| #390 | BjornTech PayPal POS integration for WooCommerce | 34 | 68 | 177 | 700 | Missing nonce verification | ||
| #391 | MailerLite – WooCommerce integration | 34 | 64 | 36 | 30k+ | Output is not escaped | ||
| #392 | WP Dummy Content Generator | 34 | 93 | 130 | 6k+ | Output is not escaped | ||
| #393 | WP-SCSS | 34 | 269 | 13 | 40k+ | Exception output is not escaped | ||
| #394 | WP Twitter Feeds | 34 | 202 | 82 | 2k+ | Output is not escaped | ||
| #395 | zipMoney(Zip Co) Payments Plugin for WooCommerce | 34 | 147 | 70 | 2k+ | Text Domain Mismatch | ||
| #396 | Akismet Anti-spam: Spam Protection | 35 | 33 | 99 | 6m+ | Non-prefixed global variable | ||
| #397 | Basic Google Maps Placemarks | 35 | 189 | 80 | 3k+ | Output is not escaped | ||
| #398 | Brozzme DB Prefix & Tools Addons | 35 | 24 | 42 | 9k+ | Request data is not unslashed | ||
| #399 | CF7 Views – Complete Entry Management for Contact Form 7 | 35 | 172 | 181 | 1k+ | Output is not escaped | ||
| #400 | Cryptex | E-Mail Address Protection | 35 | 62 | 10 | 900 | Output is not escaped |
