CVE-2022-1595: 
WordPress vulnerability analysis and mitigation

The HC Custom WP-Admin URL WordPress plugin through version 1.4 contains a security vulnerability that allows the disclosure of secret login URLs. The vulnerability was discovered and publicly disclosed on May 18, 2022, and was assigned CVE-2022-1595. This vulnerability affects websites using the hc-custom-wp-admin-url plugin version 1.4 and below (WPScan).

The vulnerability allows unauthorized users to leak the secret login URL by sending a specifically crafted request. The exploit can be triggered by sending an HTTP GET request with a crafted cookie header 'validloginslug=1' to the wp-login.php endpoint, which results in a 302 redirect response revealing the secret URL (WPScan).

When exploited, this vulnerability compromises the security of the custom admin URL feature, which is designed to protect the WordPress admin login page. By exposing the secret login URL, attackers can bypass the security measure intended to hide the administrative login page from potential attackers (WPScan).

As of the vulnerability disclosure, there is no known fix available for this security issue. Users of the HC Custom WP-Admin URL plugin should consider using alternative security measures or plugins to protect their WordPress admin login pages (WPScan).