The attackers can discover valid session identifiers via a brute-force attack, because this WordPress version does not invalidate a wordpress_sec session cookie upon an administrator’s logout action.
The application should keep track of session identifiers where a user has explicitly logged out and prevent those sessions from connecting to the application.