From ${URL} : It was reported [1] that all versions of WordPress are using weak random number generation algorithm, which makes it possible to predict the password reset token for admin user. Non-upstream patch is available here: https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch [1]: http://seclists.org/fulldisclosure/2015/Feb/42 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Upstream implemented a real CSPRNG in v4.4 which landed in Gentoo repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/www-apps/wordpress?id=ec13cc7f87541d157420ef03a44a203ce400f4ec