The OAuth2 Complete plugin for WordPress uses a pseudorandom number generator which is non-cryptographically secure
The following refer to the generateAccessToken() function in library/OAuth2/ResponseType/AccessToken.php, and the generateAuthorizationCode() function in library/OAuth2/ResponseType/AuthorizationCode.php.
These functions attempt to generate secure auth tokens, but do not use the WordPress random number generator. Instead they use a series of fallback calculations depending on which PHP version is being used. Some of these calculations are not crypographically secure:
The first is mcrypt_create_iv(100, MCRYPT_DEV_URANDOM). MCRYPT_DEV_URANDOM is expected to change to a different random value whenever it is called, but on Windows, on older versions of php it is known to be a constant value
if no other functions (e.g. /dev/urandom) are available then the access token is generated solely using mt_rand(), microtime(), and uniqid().
mt_rand() (Mersenne twister) is not a cryptographically secure pseudorandom number generator.
According to the documentation mt_rand() is also biassed towards even return values in some circumstances.
According to the documentation uniqid() is as secure a PRNG as microtime().