疑似Oday
WordPress Solid Security (formerly iThemes Security/Better WP Security) plugin before 9.0.1 is vulnerable to login page disclosure. When the Hide Backend feature is enabled and comments require user registration, the secret login URL token is exposed in the HTML source via the itsec-hb-token parameter in the comment form login links.
id: wp-better-wp-security-login-disclosure
info:
name: WordPress Solid Security < 9.0.1 - Unauthe
...