Make WordPress Core


Ignore:
Timestamp:
06/16/2018 02:09:58 PM (7 years ago)
Author:
johnbillion
Message:

Security: Harden the random aspect of the hash used for user profile and admin email address changes.

Props BjornW

Fixes #43771

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r43353 r43367  
    27272727        }
    27282728
    2729         $hash           = md5( $_POST['email'] . time() . mt_rand() );
     2729        $hash           = md5( $_POST['email'] . time() . wp_rand() );
    27302730        $new_user_email = array(
    27312731            'hash'     => $hash,
Note: See TracChangeset for help on using the changeset viewer.