Malware Uses Fake WordPress API Domain to Steal Sensitive Cookies

Share this…

Security researchers from Sucuri have found hacked WordPress sites that were altered to secretly siphon off cookies for user and admin accounts to a rogue domain imitating the WordPress API.

The attacker was sending stolen cookies to code.wordprssapi[.]com, a domain that was imitating a non-existent WordPress service.

Sucuri’s Cesar Anjos says he found this malware during an incident response, hidden at the bottom of legitimate JavaScript files.

JavaScript malware designed to steal cookies

The malware’s purpose was to steal cookies and send it to the official-looking domain whenever a user accessed the site and loaded the JavaScript code.

The target of this malware seems to be administrator accounts, and not regular users, who usually don’t have accounts on the site, and their cookies are typically barren of any useful data.

On the other hand, the cookie files for site administrators contain data that can be used to mimic the admin without needing to know the site password. This type of attack, named session hijacking, would allow the attacker to access the site’s backend, where he can then create a new admin user for himself.

Sucuri experts did not say how this code was loaded on the hacked site, but the WordPress CMS ecosystem is known to be quite insecure, thanks to a plethora of outdated themes and plugins. WordPress users that use old themes and plugins unwittingly expose their site to all sorts of vulnerabilities that can allow hackers to take control of their site, or as in this case, gain an initial foothold to carry out more complex attacks.

While the WordPress team cannot force theme and plugin developers to keep their code up-to-date at all times, they do show warnings on the WordPress Plugins repo whenever users are trying to install outdated plugins.

WordPress launches bug bounty program

Furthermore, yesterday, the WordPress team launched an official bug bounty program on the HackerOne platform.

The bug bounty program is now open to everyone, after the WordPress team ran it in private for a few months, during which time they awarded rewards of $3,700 to bug reporters.

The program covers all official projects such as WordPress, BuddyPress, bbPress, GlotPress, and WP-CLI, as well as all official sites including,,,, and

WordPress 4.7.5 is out

Also yesterday, the WordPress team released WordPress 4.7.5, a security and maintenance release. The following bugs were fixed in yesterday’s version.

  •     Insufficient redirect validation in the HTTP class.
  •     Improper handling of post meta data values in the XML-RPC API.
  •     Lack of capability checks for post meta data in the XML-RPC API.
  •     A Cross Site Request Forgery (CRSF)  vulnerability was discovered in the filesystem credentials dialog.
  •     A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files.
  •     A cross-site scripting (XSS) vulnerability was discovered related to the Customizer.