Security: Harden the random aspect of the hash used for user profile and admin email address changes.

Props BjornW Fixes #43771 git-svn-id: https://develop.svn.wordpress.org/trunk@43367 602fd350-edb4-49c9-b593-d223f7449a82
2018-06-16 14:09:58 +00:00 · 2018-06-16 14:09:58 +00:00 · 102422679d
parent e42ce4a603
commit 102422679d
2 changed files with 2 additions and 2 deletions
--- a/src/wp-admin/includes/misc.php
+++ b/src/wp-admin/includes/misc.php
@ -1205,7 +1205,7 @@ function update_option_new_admin_email( $old_value, $value ) {
 		return;
 	}

-	$hash            = md5( $value . time() . mt_rand() );
+	$hash            = md5( $value . time() . wp_rand() );
 	$new_admin_email = array(
 		'hash'     => $hash,
 		'newemail' => $value,
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@ -2726,7 +2726,7 @@ function send_confirmation_on_profile_email() {
 			return;
 		}

-		$hash           = md5( $_POST['email'] . time() . mt_rand() );
+		$hash           = md5( $_POST['email'] . time() . wp_rand() );
 		$new_user_email = array(
 			'hash'     => $hash,
 			'newemail' => $_POST['email'],