From ebe961b122e6d149f19409f95686eb6134843d39 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Thu, 8 Jan 2026 17:20:18 +0100 Subject: [PATCH 1/3] Switch to generating UUID4 components with `wp_rand()`, which is usually cryptographically secure. --- src/wp-includes/functions.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php index 82a95c265edd8..269ea1473f81d 100644 --- a/src/wp-includes/functions.php +++ b/src/wp-includes/functions.php @@ -7958,14 +7958,14 @@ function wp_raise_memory_limit( $context = 'admin' ) { function wp_generate_uuid4() { return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x', - mt_rand( 0, 0xffff ), - mt_rand( 0, 0xffff ), - mt_rand( 0, 0xffff ), - mt_rand( 0, 0x0fff ) | 0x4000, - mt_rand( 0, 0x3fff ) | 0x8000, - mt_rand( 0, 0xffff ), - mt_rand( 0, 0xffff ), - mt_rand( 0, 0xffff ) + wp_rand( 0, 0xffff ), + wp_rand( 0, 0xffff ), + wp_rand( 0, 0xffff ), + wp_rand( 0, 0x0fff ) | 0x4000, + wp_rand( 0, 0x3fff ) | 0x8000, + wp_rand( 0, 0xffff ), + wp_rand( 0, 0xffff ), + wp_rand( 0, 0xffff ) ); } From f02aa6dd1ab7f03a9c27bedb6e16095592520a15 Mon Sep 17 00:00:00 2001 From: Aaron Jorbin <622599+aaronjorbin@users.noreply.github.com> Date: Wed, 18 Mar 2026 16:09:38 -0500 Subject: [PATCH 2/3] Only use wp_rand if the function exists. Prevents a fatal if this function is called before pluggable functions have been loaded. Props peterwilsoncc. --- src/wp-includes/functions.php | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php index 269ea1473f81d..285a41294179a 100644 --- a/src/wp-includes/functions.php +++ b/src/wp-includes/functions.php @@ -7952,20 +7952,22 @@ function wp_raise_memory_limit( $context = 'admin' ) { * Generates a random UUID (version 4). * * @since 4.7.0 + * @since 7.0.0 Uses wp_rand instead of mt_rand if available. * * @return string UUID. */ function wp_generate_uuid4() { + $randomizer = function_exists( 'wp_rand' ) ? 'wp_rand' : 'mt_rand'; return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x', - wp_rand( 0, 0xffff ), - wp_rand( 0, 0xffff ), - wp_rand( 0, 0xffff ), - wp_rand( 0, 0x0fff ) | 0x4000, - wp_rand( 0, 0x3fff ) | 0x8000, - wp_rand( 0, 0xffff ), - wp_rand( 0, 0xffff ), - wp_rand( 0, 0xffff ) + $randomizer( 0, 0xffff ), + $randomizer( 0, 0xffff ), + $randomizer( 0, 0xffff ), + $randomizer( 0, 0x0fff ) | 0x4000, + $randomizer( 0, 0x3fff ) | 0x8000, + $randomizer( 0, 0xffff ), + $randomizer( 0, 0xffff ), + $randomizer( 0, 0xffff ) ); } From 6f5985194e2e589419f0a404dbe7993fe85f068e Mon Sep 17 00:00:00 2001 From: Aaron Jorbin <622599+aaronjorbin@users.noreply.github.com> Date: Wed, 18 Mar 2026 19:00:04 -0500 Subject: [PATCH 3/3] Try falling back to random_int and only if it is not available, fallback to mt_rand. --- src/wp-includes/functions.php | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php index e36abe819227f..262b069e6da22 100644 --- a/src/wp-includes/functions.php +++ b/src/wp-includes/functions.php @@ -7990,12 +7990,24 @@ function wp_raise_memory_limit( $context = 'admin' ) { * Generates a random UUID (version 4). * * @since 4.7.0 - * @since 7.0.0 Uses wp_rand instead of mt_rand if available. + * @since 7.0.0 Uses wp_rand if available. * * @return string UUID. */ function wp_generate_uuid4() { - $randomizer = function_exists( 'wp_rand' ) ? 'wp_rand' : 'mt_rand'; + static $backup_randomizer = false; + $randomizer = function_exists( 'wp_rand' ) ? 'wp_rand' : $backup_randomizer; + + if ( false === $randomizer ) { + try { + random_int( 0, 15705 ); + $backup_randomizer = 'random_int'; + } catch ( Exception $e ) { + $backup_randomizer = 'mt_rand'; + } + $randomizer = $backup_randomizer; + } + return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x', $randomizer( 0, 0xffff ),