The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
View the template here CVE-2024-6289.yaml
References:
https://www.sprocketsecurity.com/resources/discovering-wp-admin-urls-in-wordpress-with-gravityforms/