An attacker can exploit this to ban legitimate users or the site’s own reverse proxy from making requests to the wp-login endpoint which prevents anybody from logging into the site.