This Metasploit module exploits a bypass issue with WPS Hide Login versions less than or equal to 1.9. WPS Hide Login is used to make a new secret path to the login page, however a GET request to /wp-admin/options.php with a referer will reveal the hidden path.
cf0e23084f88d35da4dd2286627bbd0801ca437e1cdded439cd94d23e28d6ab9