The OAuth2 Complete plugin for WordPress uses a pseudorandom number generator which is non-cryptographically secure


Last revised:

The following refer to the generateAccessToken() function in library/OAuth2/ResponseType/AccessToken.php, and the generateAuthorizationCode() function in library/OAuth2/ResponseType/AuthorizationCode.php.

  • These functions attempt to generate secure auth tokens, but do not use the WordPress random number generator. Instead they use a series of fallback calculations depending on which PHP version is being used. Some of these calculations are not crypographically secure:
  • The first is mcrypt_create_iv(100, MCRYPT_DEV_URANDOM). MCRYPT_DEV_URANDOM is expected to change to a different random value whenever it is called, but on Windows, on older versions of php it is known to be a constant value
  • if no other functions (e.g. /dev/urandom) are available then the access token is generated solely using mt_rand(), microtime(), and uniqid().
  • mt_rand() (Mersenne twister) is not a cryptographically secure pseudorandom number generator.
  • According to the documentation mt_rand() is also biassed towards even return values in some circumstances.
  • According to the documentation uniqid() is as secure a PRNG as microtime().

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 10 High
Vector Network
Complexity Low
Authentication None
Confidentiality Complete
Integrity Complete
Availability Complete
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

See the documentation:

Advisory timeline

  • 2014-04-16: Discovered
  • 2015-07-21: Reported to vendor by email
  • 2015-07-21: Requested CVE
  • 2015-08-10: Vendor responded
  • 2015-08-11: Vendor confirmed fixed in version 3.1.5
  • 2015-08-12: Published

Mitigation/further actions

Upgrade to version 3.1.5 or later.

If this is not possible then ensure that you are using a recent version of php (at least 5.3), or disable the plugin.