Description The plugin discloses the URL of the hidden login page when accessing a crafted URL, bypassing the protection offered.
- Set custom Login URL under "Settings > Permalinks". For example, `login`
- As an unauthenticated visitor, open https://example.com/wp-admin/customize.php in a different browser
- It will redirect to the login page: https://example.com/login/?redirect_to=https%3A%2F%2Fexample.com%2Fwp-admin%2Fcustomize.php&reauth=1