CVE-2023-3604: 
WordPress vulnerability analysis and mitigation

The Change WP Admin Login WordPress plugin before version 1.1.4 contains a security vulnerability identified as CVE-2023-3604. The vulnerability was discovered on July 27, 2023, and allows unauthorized users to discover the URL of the hidden login page when accessing a crafted URL, effectively bypassing the protection mechanism offered by the plugin (WPScan, NVD).

The vulnerability has a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue occurs when an unauthenticated visitor accesses specific crafted URLs, such as the WordPress customizer URL (wp-admin/customize.php), which then reveals the hidden login page location through a redirect (WPScan).

When exploited, this vulnerability exposes the hidden login page URL, compromising the security measure intended to protect the WordPress admin login page from unauthorized discovery. This exposure could make the site more vulnerable to brute force attacks and other unauthorized access attempts (NVD).

The vulnerability has been patched in version 1.1.4 of the Change WP Admin Login plugin. Site administrators should update to this version or later to protect against this security issue (WPScan).