We went back to the password page i.e., /phpcms/ and reloaded it. This gave us a fine fully loaded page. Now we entered the password that we found earlier with the wpscan bruteforce.
We see that it a draft page. Designed to provide the user notadmin with its password. Now that we have the credentials of the user notadmin. It Exploitation Time.