wp_generate_password() is misused as a secure hash generator

[Shelob9]

Here, the core function wp_generate_password is used to generate some sort of hash value:

https://github.com/trustedlogin/trustedlogin-client/blob/987efd9a362a3294e921e9f64ae0f796cbc84158/src/Client.php#L501-L503

This has two key weakness:

• By default, this function is a random number generator, not a hashing function. https://github.com/WordPress/WordPress/blob/master/wp-includes/pluggable.php#L2429-L2453
• It's a plugable function and has a filter on the return value, so who knows what it does on any given site.

Related #3

[zackkatz]

Use random_bytes() instead

• bin2hex()