The oauth2-provider plugin before 3.1.5 for WordPress has incorrect generation of random numbers.