The oauth2-provider plugin prior to 3.1.5 for WordPress has incorrect generation of random numbers.
dash10 oauth server