WordPress.WP.AlternativeFunctions.rand_rand
rand rand
The plugin uses a random function that may not be appropriate for the task.
Why It Shows Up
The scan found functions such as `rand()`, `mt_rand()`, `srand()`, or `mt_srand()`.
Why It Matters
General random functions are not suitable for security-sensitive tokens and manual seeding can reduce randomness.
How to Fix
- Use `wp_rand()` for ordinary WordPress randomness.
- Use PHP cryptographic randomness for security-sensitive tokens.
- Avoid manual random seeding unless there is a narrow, documented reason.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #851 | Anti-Captcha (anti-spam botblocker) | 56 | 23 | 26 | 1k+ | rand mt rand | ||
| #852 | SMTP by BestWebSoft | 56 | 486 | 175 | 1k+ | Text Domain Mismatch | ||
| #853 | reCAPTCHA for Ninja Forms | 56 | 21 | 9 | 600 | Output is not escaped | ||
| #854 | BestWebSoft’s Pinterest | 57 | 490 | 176 | 500 | Text Domain Mismatch | ||
| #855 | Cache-Control | 57 | 26 | 4 | 1k+ | Output is not escaped | ||
| #856 | WP Online Active Users | 58 | 26 | 45 | 2k+ | Non-prefixed global variable | ||
| #857 | Super Simple Event Calendar | 58 | 8 | 24 | 600 | Request data is not unslashed | ||
| #858 | Videopack | 58 | 28 | 108 | 10k+ | Input is not sanitized | ||
| #859 | pensopay Payments v2 | 59 | 413 | 32 | 1k+ | Non Singular String Literal Domain | ||
| #860 | Country and State Selection Addon for Gravity Forms | 61 | 14 | 26 | 1k+ | Non-prefixed constant | ||
| #861 | Countdown | 63 | 43 | 0 | 400 | Output is not escaped | ||
| #862 | Placeholder Image for WooCommerce | 63 | 31 | 5 | 400 | Output is not escaped | ||
| #863 | Dojo for WooCommerce | 65 | 71 | 13 | 800 | Text Domain Mismatch | ||
| #864 | QRCode | 65 | 21 | 39 | 400 | Non-prefixed constant | ||
| #865 | Debug Log Manager – Conveniently Monitor and Inspect Errors | 66 | 33 | 44 | 10k+ | Input is not validated | ||
| #866 | Printful Integration for WooCommerce | 67 | 218 | 76 | 50k+ | Text Domain Mismatch | ||
| #867 | Product Specifications for Woocommerce | 67 | 12 | 80 | 1k+ | Non-prefixed global variable | ||
| #868 | Custom Form Builder, Contact Forms, Payment Forms, Surveys, Polls | 68 | 21 | 18 | 1k+ | Output is not escaped | ||
| #869 | Cresta Social Messenger | 71 | 9 | 10 | 1k+ | Non-prefixed function | ||
| #870 | WPS Notice Center | 71 | 12 | 7 | 3k+ | Unsafe printing function | ||
| #871 | Amazing Affiliates – Toolkit for Amazon Associates with Amazon Product Blocks and Amazon PAAPI5 / Creators API integration | 72 | 3 | 650 | 600 | Non-prefixed global variable | ||
| #872 | Signature Field For Contact Form 7 – CF7Sign | 74 | 9 | 12 | 700 | Missing Translators Comment | ||
| #873 | Elements For Elementor | 74 | 39 | 37 | 10k+ | Non-prefixed global variable | ||
| #874 | Accordion Shortcode | 75 | 17 | 0 | 400 | Output is not escaped | ||
| #875 | Honeypot Anti Spam for Forminator Forms | 75 | 4 | 7 | 1k+ | Missing nonce verification | ||
| #876 | PopupAlly | 75 | 40 | 10 | 2k+ | Missing direct file access protection | ||
| #877 | Super RSS Reader – Add attractive RSS Feed Widget | 76 | 24 | 5 | 10k+ | Output is not escaped | ||
| #878 | Contact Form 7 Text CAPTCHA | 76 | 14 | 34 | 1k+ | Non-prefixed global variable | ||
| #879 | Self-Hosted Google Fonts | 77 | 35 | 11 | 30k+ | Text Domain Mismatch | ||
| #880 | Taggbox – Free Social Media Widgets, Review Badges & Shoppable UGC | 77 | 23 | 113 | 1k+ | Direct Query | ||
| #881 | Lorem Ipsum Generator | 77 | 7 | 9 | 500 | Missing direct file access protection | ||
| #882 | Interact: Embed A Quiz On Your Site | 78 | 6 | 13 | 3k+ | Request data is not unslashed | ||
| #883 | Cresta Help Chat | 80 | 6 | 6 | 10k+ | Output is not escaped | ||
| #884 | Docxpresso | 80 | 9 | 14 | 2k+ | Input is not sanitized | ||
| #885 | Image Captcha For Gravity Forms | 80 | 20 | 10 | 400 | Text Domain Mismatch | ||
| #886 | BinancePay Checkout for WooCommerce | 84 | 5 | 14 | 900 | Input is not validated | ||
| #887 | BNE Gallery Extended | 86 | 8 | 0 | 1k+ | Unsafe printing function | ||
| #888 | Extra Styling for MemberPress | 86 | 64 | 7 | 500 | Text Domain Mismatch | ||
| #889 | A Random Number | 89 | 3 | 5 | 800 | Non-prefixed function | ||
| #890 | reBusted! | 91 | 7 | 3 | 6k+ | Missing direct file access protection | ||
| #891 | Tumblr Importer | 91 | 7 | 9 | 10k+ | wp function not compatible with requires wp | ||
| #892 | Image Hotspot With Tooltip For WPBakery Page Builder (formerly Visual Composer) | 92 | 61 | 12 | 400 | Text Domain Mismatch | ||
| #893 | Drag and Drop File Upload for Elementor Forms | 94 | 29 | 1 | 1k+ | curl curl setopt | ||
| #894 | Easy Theme and Plugin Upgrades | 94 | 29 | 20 | 70k+ | Discouraged PHP function | ||
| #895 | Hide WordPress Version | 96 | 5 | 4 | 400 | trademarked term | ||
| #896 | SoundCloud Shortcode | 97 | 6 | 1 | 5k+ | Missing Arg Domain |