This section describes malware that sends malicious code via $_COOKIE in WordPress.
Malware that sends malicious code via $_COOKIE
COOKIE is data that is originally recorded by the site in the user’s browser so that data is retained even when transitioning between pages. However, with special software, this COOKIE can be freely configured and loaded on the server side.
The malware shown below is part of the malware code detected by WP Doctor.
In this malware, the _gcookie function reads an arbitrary COOKIE value,
update_option('d', $d);
and rewrite WordPress settings in the code section called
$user_id = wp_create_user($u, $p, $e);
$user = new WP_User($user_id);
$user->set_role('administrator');
This is a malware that creates a malicious user on WordPress in the following section.
Why would a hacker send a rogue co via COOKIE?
Recently, malware that sends malicious code to the server via COOKIE has been increasing. Generally, data is sent to the server using $_POST and $_GET, but if $_POST and $_GET are monitored by a WAF (firewall), sending the code via COOKIE may bypass the WAF’s function. This is thought to be because sending via COOKIE bypasses the WAF function.
How to prevent attacks via COOKIE?
As of 2025, there is probably no WAF that can protect against this method of attack via COOKIE in advance. If malware designed to send and receive data via COOKIE as described above is already on the server, it is difficult to prevent data reception in advance with a WAF.
Therefore, it is necessary to remove the malware on the server that is on the receiving end of the attack via COOKIE.
We recommend that you use a malware detection and removal plug-in to check for the presence of such malware on the server and remove it.
The next version 2.8 (scheduled for release at the end of August 2025) of our [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal] will provide a detection blocking function for attacks via COOKIE.
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
