WordPress.WP.AlternativeFunctions.rand_rand
rand rand
The plugin uses a random function that may not be appropriate for the task.
Why It Shows Up
The scan found functions such as `rand()`, `mt_rand()`, `srand()`, or `mt_srand()`.
Why It Matters
General random functions are not suitable for security-sensitive tokens and manual seeding can reduce randomness.
How to Fix
- Use `wp_rand()` for ordinary WordPress randomness.
- Use PHP cryptographic randomness for security-sensitive tokens.
- Avoid manual random seeding unless there is a narrow, documented reason.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #801 | Random Post Plugin – Redirect URL to Post | 40 | 28 | 74 | 4k+ | Nonce verification recommended | ||
| #802 | Search Live | 40 | 132 | 71 | 600 | Output is not escaped | ||
| #803 | Simple Statistics for Feeds | 40 | 64 | 131 | 800 | Nonce verification recommended | ||
| #804 | TZ Flickr Widget | 40 | 67 | 7 | 600 | Output is not escaped | ||
| #805 | Universal Honey Pot | 40 | 23 | 94 | 1k+ | Missing nonce verification | ||
| #806 | Upcoming Events Lists | 40 | 75 | 17 | 900 | Text Domain Mismatch | ||
| #807 | Visma Pay for Woocommerce | 40 | 27 | 37 | 2k+ | Output is not escaped | ||
| #808 | yubikey-plugin | 40 | 64 | 33 | 400 | Text Domain Mismatch | ||
| #809 | Easy PayPal & Stripe Buy Now Button | 40 | 388 | 96 | 10k+ | Unsafe printing function | ||
| #810 | WP Paint – WordPress Image Editor | 40 | 30 | 29 | 6k+ | Missing Arg Domain | ||
| #811 | WPS Menu Exporter | 40 | 47 | 22 | 10k+ | Output is not escaped | ||
| #812 | Categorized Tag Cloud | 41 | 44 | 17 | 1k+ | Output is not escaped | ||
| #813 | Social Sharing Plugin – Kiwi | 41 | 23 | 80 | 4k+ | Non-prefixed global variable | ||
| #814 | Posts 2 Posts | 41 | 42 | 73 | 10k+ | Non Singular String Literal Domain | ||
| #815 | Super Testimonial – Testimonial & Customer Review Slider Plugin for WordPress | 41 | 27 | 168 | 2k+ | Request data is not unslashed | ||
| #816 | WP Lorem ipsum | 41 | 37 | 29 | 500 | Unsafe printing function | ||
| #817 | WP Media folders | 41 | 19 | 74 | 3k+ | Direct Query | ||
| #818 | Cookie Notify | 42 | 15 | 54 | 400 | Input is not validated | ||
| #819 | Custom Fields for Gutenberg | 42 | 24 | 24 | 1k+ | Output is not escaped | ||
| #820 | iyzico for WooCommerce | 42 | 34 | 54 | 10k+ | Unsafe printing function | ||
| #821 | Mailster Cool Captcha | 42 | 65 | 28 | 400 | Text Domain Mismatch | ||
| #822 | Medical Addon for Elementor | 42 | 200 | 8 | 1k+ | Text Domain Mismatch | ||
| #823 | Republish Old Posts | 42 | 83 | 24 | 2k+ | Output is not escaped | ||
| #824 | Responsive Mortgage Calculator | 42 | 38 | 28 | 7k+ | Output is not escaped | ||
| #825 | Simple Download Counter | 42 | 58 | 46 | 2k+ | Output is not escaped | ||
| #826 | Anti-spam Reloaded | 43 | 19 | 19 | 2k+ | Output is not escaped | ||
| #827 | BMI Adult & Kid Calculator | 43 | 33 | 138 | 700 | Request data is not unslashed | ||
| #828 | Simple Mortgage Calculator | 43 | 67 | 3 | 1k+ | Text Domain Mismatch | ||
| #829 | Sinbyte Indexer | 43 | 61 | 19 | 2k+ | Text Domain Mismatch | ||
| #830 | WP Extra File Types | 43 | 11 | 26 | 40k+ | Request data is not unslashed | ||
| #831 | Custom Dashboard Help Widget | 44 | 73 | 12 | 900 | Output is not escaped | ||
| #832 | Github Embed | 44 | 18 | 35 | 1k+ | Non-prefixed global variable | ||
| #833 | Narrative Publisher | 44 | 28 | 37 | 1k+ | Text Domain Mismatch | ||
| #834 | WP Club Manager – WordPress Sports Club Plugin | 44 | 171 | 682 | 600 | Non-prefixed global variable | ||
| #835 | Evergreen Countdown Timer | 45 | 193 | 35 | 2k+ | wp function not compatible with requires wp | ||
| #836 | DarkMySite – Advanced Dark Mode Plugin for WordPress | 46 | 22 | 100 | 1k+ | Request data is not unslashed | ||
| #837 | Link in Bio Creator – Social | 46 | 52 | 36 | 2k+ | Non Singular String Literal Domain | ||
| #838 | Updater by BestWebSoft | 46 | 494 | 219 | 2k+ | Text Domain Mismatch | ||
| #839 | 3CX Free Live Chat, Calls & Messaging | 47 | 24 | 16 | 100k+ | Output is not escaped | ||
| #840 | Add Polylang support for Customizer | 48 | 18 | 20 | 2k+ | Nonce verification recommended | ||
| #841 | Ansar Import – One Click Starter Sites – for Elementor & Themes | 48 | 27 | 116 | 10k+ | Non-prefixed global variable | ||
| #842 | Comment Notifier | 48 | 10 | 55 | 400 | Non-prefixed global variable | ||
| #843 | Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms | 48 | 34 | 14 | 800 | Non Singular String Literal Domain | ||
| #844 | Visual Website Optimizer | 48 | 86 | 4 | 5k+ | wp function not compatible with requires wp | ||
| #845 | Video Background | 49 | 35 | 26 | 9k+ | Unsafe printing function | ||
| #846 | Quotes and Tips by BestWebSoft | 51 | 485 | 190 | 1k+ | Text Domain Mismatch | ||
| #847 | Wenprise Pinyin Slug | 52 | 30 | 34 | 4k+ | Text Domain Mismatch | ||
| #848 | International Telephone Input for Contact Form 7 | 53 | 18 | 10 | 8k+ | Missing direct file access protection | ||
| #849 | LexonRank: AI Link Building, Free Backlinks & SEO Automation | 55 | 15 | 20 | 1k+ | Nonce verification recommended | ||
| #850 | Mortgage Calculator | 55 | 98 | 16 | 4k+ | Text Domain Mismatch |