Description: Harden newbloguser key
 Use a properly generated hash for the newbloguser key instead of a
 determinate substring.
Author: johnbillion@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/42296/branches/4.1
Applied-Upstream: 4.1.21
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2018-01-06
--- a/wp-admin/user-new.php
+++ b/wp-admin/user-new.php
@@ -69,7 +69,7 @@
 			add_existing_user_to_blog( array( 'user_id' => $user_id, 'role' => $_REQUEST[ 'role' ] ) );
 			$redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' );
 		} else {
-			$newuser_key = substr( md5( $user_id ), 0, 5 );
+			$newuser_key = wp_generate_password( 20, false );
 			add_option( 'new_user_' . $newuser_key, array( 'user_id' => $user_id, 'email' => $user_details->user_email, 'role' => $_REQUEST[ 'role' ] ) );
 
 			$roles = get_editable_roles();
