## https://sploitus.com/exploit?id=WPEX-ID:42FDB534-3AEF-4ED7-94A8-4CFE8FF977E1
A POST HTTP request with GET parameters bypassed the "Hide Backend" feature in vulnerable versions:
- The HTTP request method is POST
- The URL is pointing on wp-login.php
- The URL parameter is âaction=postpassâ (so itâs a GET one)
- The BODY parameter is âaction=loginâ (so itâs a POST one)
According to the original researcher, "The plugin will read the GET and will let pass since itâs allowed, but WordPress will handle the POST one and will display the login form."