A POST HTTP request with GET parameters bypassed the "Hide Backend" feature in vulnerable versions:

- The HTTP request method is POST
- The URL is pointing on wp-login.php
- The URL parameter is “action=postpass” (so it’s a GET one)
- The BODY parameter is “action=login” (so it’s a POST one)

According to the original researcher, "The plugin will read the GET and will let pass since it’s allowed, but WordPress will handle the POST one and will display the login form."