I realised word press uses a static cookie, even when u have not enabled remember-me option. This static value holds the md5 of your password (md5(md5 of password)), which remains static. Thus an xss exploit in wordpress could be really handy as the cookie remains the same unless the password for the user is changed.
6:38 pm on April 3rd, 2007
[...] hash of password of all users including admin user. Before you run mdcrack on this hash, read my previous post on wordpress cookies as this will save your time. Once you have the admin user hash needless to say [...]