diff -r 7b1b88e27a20 -r 48c4eec2b7e6 wp/wp-includes/class-wp-http-cookie.php
--- a/wp/wp-includes/class-wp-http-cookie.php	Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-includes/class-wp-http-cookie.php	Fri Sep 05 18:40:08 2025 +0200
@@ -18,6 +18,7 @@
  *
  * @since 2.8.0
  */
+#[AllowDynamicProperties]
 class WP_Http_Cookie {
 
 	/**
@@ -114,7 +115,7 @@
 			$this->domain = $parsed_url['host'];
 		}
 		$this->path = isset( $parsed_url['path'] ) ? $parsed_url['path'] : '/';
-		if ( '/' !== substr( $this->path, -1 ) ) {
+		if ( ! str_ends_with( $this->path, '/' ) ) {
 			$this->path = dirname( $this->path ) . '/';
 		}
 
@@ -135,7 +136,7 @@
 			foreach ( $pairs as $pair ) {
 				$pair = rtrim( $pair );
 
-				// Handle the cookie ending in ; which results in a empty final pair.
+				// Handle the cookie ending in ; which results in an empty final pair.
 				if ( empty( $pair ) ) {
 					continue;
 				}
@@ -201,8 +202,8 @@
 		}
 
 		// Host - very basic check that the request URL ends with the domain restriction (minus leading dot).
-		$domain = ( '.' === substr( $domain, 0, 1 ) ) ? substr( $domain, 1 ) : $domain;
-		if ( substr( $url['host'], -strlen( $domain ) ) !== $domain ) {
+		$domain = ( str_starts_with( $domain, '.' ) ) ? substr( $domain, 1 ) : $domain;
+		if ( ! str_ends_with( $url['host'], $domain ) ) {
 			return false;
 		}
 
@@ -212,7 +213,7 @@
 		}
 
 		// Path - request path must start with path restriction.
-		if ( substr( $url['path'], 0, strlen( $path ) ) !== $path ) {
+		if ( ! str_starts_with( $url['path'], $path ) ) {
 			return false;
 		}