From e4ae050b866964b4a737093e556aa47c405fa533 Mon Sep 17 00:00:00 2001
From: tanjiroK-coder <skaif@digiscrypt.com>
Date: Fri, 19 Jun 2026 15:50:22 +0530
Subject: [PATCH] Use wp_rand() for multisite admin email confirmation token
 generation

Completes the hardening from #43771, which replaced mt_rand() with the
CSPRNG-backed wp_rand() for email-change confirmation tokens in
update_option_new_admin_email() and send_confirmation_on_profile_email(),
but missed the multisite equivalent update_network_option_new_admin_email().
---
 src/wp-includes/ms-functions.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/ms-functions.php b/src/wp-includes/ms-functions.php
index f1cbc62fa8ec7..61dcbc23fa732 100644
--- a/src/wp-includes/ms-functions.php
+++ b/src/wp-includes/ms-functions.php
@@ -2785,7 +2785,7 @@ function update_network_option_new_admin_email( $old_value, $value ) {
 		return;
 	}
 
-	$hash            = md5( $value . time() . mt_rand() );
+	$hash            = md5( $value . time() . wp_rand() );
 	$new_admin_email = array(
 		'hash'     => $hash,
 		'newemail' => $value,