cbcvebase.
CVE-2020-27615
published 2020-10-21

CVE-2020-27615: The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip.

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.62%
98.9th percentile
The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip.

Affected

1 ranges
VendorProductVersion rangeFixed in
loginizerloginizer< 1.6.41.6.4

Detection & IOCsextracted from sources · hover to see the quote

otherLoginizer plugin version < 1.6.4 (WordPress plugin)
sigma
contains_all(body,"wp-admin","user_login") AND status_code == 200
  • The SQLi is unauthenticated and time-based, delivered via the `log` (username) parameter on the WordPress login page. Monitor for anomalous SQL syntax (e.g., SLEEP/BENCHMARK payloads) in POST requests to wp-login.php targeting the `log` parameter.
  • The vulnerability exists in the `loginizer_login_failed` function and the `lz_valid_ip` function due to lack of input sanitization. Detection logic should flag unsanitized input reaching these code paths.
  • Successful exploitation can result in stored XSS in addition to SQLi. Correlate login-page SQLi attempts with subsequent unexpected script content in WordPress admin pages.
  • Use nuclei-style fingerprinting: HTTP 200 response to wp-login.php containing both `wp-admin` and `user_login` body strings can confirm a WordPress login page is present; combine with version detection of Loginizer < 1.6.4 to identify vulnerable targets.
  • ·WordPress forced an automatic update to Loginizer 1.6.4 for most sites; however, sites on the 1.4.x branch or with auto-updates disabled may still be unpatched and vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.