WordPress.WP.AlternativeFunctions.rand_mt_rand
rand mt rand
The plugin uses a random function that may not be appropriate for the task.
Why It Shows Up
The scan found functions such as `rand()`, `mt_rand()`, `srand()`, or `mt_srand()`.
Why It Matters
General random functions are not suitable for security-sensitive tokens and manual seeding can reduce randomness.
How to Fix
- Use `wp_rand()` for ordinary WordPress randomness.
- Use PHP cryptographic randomness for security-sensitive tokens.
- Avoid manual random seeding unless there is a narrow, documented reason.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #401 | Gravity Forms: Multiple Form Instances | 35 | 6 | 6 | 700 | Hidden files included | ||
| #402 | IntenseDebate Comments | 35 | 203 | 114 | 500 | Output is not escaped | ||
| #403 | Keyring | 35 | 233 | 203 | 1k+ | Output is not escaped | ||
| #404 | Lenix scss compiler | 35 | 133 | 34 | 800 | Exception output is not escaped | ||
| #405 | Publitio | 35 | 47 | 26 | 400 | curl curl setopt | ||
| #406 | Shipping Zones by Drawing for WooCommerce | 35 | 278 | 95 | 600 | Text Domain Mismatch | ||
| #407 | SiteGround Migrator | 35 | 113 | 74 | 70k+ | Missing Arg Domain | ||
| #408 | WP Mailto Links – Protect Email Addresses | 35 | 95 | 69 | 8k+ | Output is not escaped | ||
| #409 | WP PGP Encrypted Emails | 35 | 63 | 39 | 400 | Output is not escaped | ||
| #410 | BuddyMeet | 36 | 114 | 32 | 700 | Unsafe printing function | ||
| #411 | Drag and Drop Multiple File Upload for Contact Form 7 | 36 | 82 | 36 | 60k+ | wp function not compatible with requires wp | ||
| #412 | Dynamic Front-End Heartbeat Control | 36 | 217 | 111 | 1k+ | Text Domain Mismatch | ||
| #413 | Dynamic Visibility for Elementor | 36 | 56 | 89 | 50k+ | Non-prefixed hook name | ||
| #414 | Email Before Download | 36 | 89 | 29 | 6k+ | Unsafe printing function | ||
| #415 | News Manager | 36 | 134 | 57 | 600 | Output is not escaped | ||
| #416 | PDF Forms Filler for CF7 | 36 | 185 | 79 | 3k+ | Text Domain Mismatch | ||
| #417 | PDF Forms Filler for WPForms | 36 | 161 | 54 | 600 | Text Domain Mismatch | ||
| #418 | Photonic Gallery & Lightbox for Flickr, SmugMug & Others | 36 | 180 | 163 | 10k+ | Missing Translators Comment | ||
| #419 | Stripe Tax – Sales tax automation for WooCommerce | 36 | 97 | 61 | 30k+ | Exception output is not escaped | ||
| #420 | WP LaTeX | 36 | 103 | 12 | 700 | Output is not escaped | ||
| #421 | Database Snapshots – WPvivid | 36 | 66 | 108 | 1k+ | Direct Query | ||
| #422 | Avatar Privacy | 37 | 82 | 36 | 1k+ | Missing direct file access protection | ||
| #423 | CryptAPI Payment Gateway for WooCommerce | 37 | 187 | 29 | 400 | Text Domain Mismatch | ||
| #424 | Customer Email Verification for WooCommerce | 37 | 165 | 164 | 2k+ | Nonce verification recommended | ||
| #425 | Easy Testimonial Slider and Form | 37 | 14 | 144 | 700 | Request data is not unslashed | ||
| #426 | 果果推送 | 37 | 31 | 56 | 1k+ | Nonce verification recommended | ||
| #427 | Gmail SMTP | 37 | 84 | 73 | 10k+ | Unsafe printing function | ||
| #428 | Horizontal scrolling announcements | 37 | 215 | 140 | 8k+ | Output is not escaped | ||
| #429 | Sensei LMS Certificates | 37 | 97 | 362 | 5k+ | Non-prefixed global variable | ||
| #430 | Spam Destroyer | 37 | 63 | 43 | 6k+ | rand rand | ||
| #431 | Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation | 37 | 42 | 33 | 10k+ | Output is not escaped | ||
| #432 | Time Clock – A WordPress Employee & Volunteer Time Clock Plugin | 37 | 166 | 107 | 500 | Output is not escaped | ||
| #433 | Views for WPForms – Display & Edit WPForms Entries on your site frontend | 37 | 80 | 64 | 1k+ | Output is not escaped | ||
| #434 | WP Category Permalink | 37 | 75 | 31 | 2k+ | Output is not escaped | ||
| #435 | FundEngine – Donation and Crowdfunding Platform | 37 | 90 | 9 | 1k+ | Exception output is not escaped | ||
| #436 | Bulgarisation for WooCommerce | 38 | 128 | 592 | 5k+ | Nonce verification recommended | ||
| #437 | GiveWP Donation Widgets for Elementor | 38 | 483 | 13 | 7k+ | Text Domain Mismatch | ||
| #438 | SCSS WP Editor | 38 | 111 | 40 | 900 | Exception output is not escaped | ||
| #439 | Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend | 38 | 84 | 49 | 1k+ | Output is not escaped | ||
| #440 | Better Random Redirect | 39 | 88 | 40 | 700 | Text Domain Mismatch | ||
| #441 | BOX NOW Delivery Croatia | 39 | 64 | 99 | 700 | Missing nonce verification | ||
| #442 | Contact Form 7 – Dynamic Text Extension | 39 | 103 | 28 | 100k+ | Output is not escaped | ||
| #443 | Cookies for Comments | 39 | 22 | 29 | 20k+ | Input is not validated | ||
| #444 | DefendWP Firewall | 39 | 16 | 203 | 3k+ | Non-prefixed global variable | ||
| #445 | Serial Number for Contact Form 7 | 39 | 105 | 53 | 2k+ | Non Singular String Literal Domain | ||
| #446 | upPrev | 39 | 35 | 36 | 1k+ | Dynamic hook name | ||
| #447 | WP Sitemap Control | 39 | 31 | 37 | 400 | Output is not escaped | ||
| #448 | Coupon Generator for WooCommerce | 40 | 39 | 28 | 10k+ | Unsafe printing function | ||
| #449 | Loan Comparison | 40 | 27 | 192 | 400 | Request data is not unslashed | ||
| #450 | Logbook | 40 | 33 | 59 | 2k+ | Nonce verification recommended |
