CVE-2020-27615
published 2020-10-21CVE-2020-27615: The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.62%
98.9th percentile
The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| loginizer | loginizer | < 1.6.4 | 1.6.4 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
contains_all(body,"wp-admin","user_login") AND status_code == 200
- →The SQLi is unauthenticated and time-based, delivered via the `log` (username) parameter on the WordPress login page. Monitor for anomalous SQL syntax (e.g., SLEEP/BENCHMARK payloads) in POST requests to wp-login.php targeting the `log` parameter. ↗
- →The vulnerability exists in the `loginizer_login_failed` function and the `lz_valid_ip` function due to lack of input sanitization. Detection logic should flag unsanitized input reaching these code paths. ↗
- →Successful exploitation can result in stored XSS in addition to SQLi. Correlate login-page SQLi attempts with subsequent unexpected script content in WordPress admin pages. ↗
- →Use nuclei-style fingerprinting: HTTP 200 response to wp-login.php containing both `wp-admin` and `user_login` body strings can confirm a WordPress login page is present; combine with version detection of Loginizer < 1.6.4 to identify vulnerable targets.
- ·WordPress forced an automatic update to Loginizer 1.6.4 for most sites; however, sites on the 1.4.x branch or with auto-updates disabled may still be unpatched and vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vf5c-prqq-g9f7: The Loginizer plugin before 1
ghsa_unreviewed·2022-05-24
CVE-2020-27615 [CRITICAL] CWE-89 GHSA-vf5c-prqq-g9f7: The Loginizer plugin before 1
The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip.
VulnCheck
loginizer loginizer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-27615 [CRITICAL] loginizer loginizer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
loginizer loginizer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip.
Affected: loginizer loginizer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/
No detection rules found.
Metasploit
WordPress Loginizer log SQLi Scanner
metasploit
WordPress Loginizer log SQLi Scanner
WordPress Loginizer log SQLi Scanner
Loginizer wordpress plugin contains an unauthenticated timebased SQL injection in versions before 1.6.4. The vulnerable parameter is in the log parameter. Wordpress has forced updates of the plugin to all servers
Nuclei
WordPress Loginizer < 1.6.4 – Unauthenticated SQL Injection via `log` Parameter
nuclei·CVSS 9.8
CVE-2020-27615 [CRITICAL] WordPress Loginizer < 1.6.4 – Unauthenticated SQL Injection via `log` Parameter
WordPress Loginizer = 7'
- 'contains_all(body,"wp-admin","user_login")'
- 'status_code == 200'
condition: and
# digest: 4b0a00483046022100f107c90f5322d86aa89c4a441d65c1a1fb235b2639e22999118156fb960ffa2402210083594b5d5b9e257f6e3f80edc6a5fc66469f8e9adcc9ee1d0062a40e539b2ceb:922c64590222798bb761d5b6d8e72950
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Tenable
CVE-2020-27615: SQL Injection Vulnerability in WordPress Loginizer Plugin Affected Over One Million Sites
blogs_tenable·2020-10-22·CVSS 9.8
[CRITICAL] CVE-2020-27615: SQL Injection Vulnerability in WordPress Loginizer Plugin Affected Over One Million Sites
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter December 2025
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter December 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://plugins.trac.wordpress.org/changeset/2401010/loginizerhttps://wpdeeply.com/loginizer-before-1-6-4-sqli-injection/https://wpscan.com/vulnerability/10441https://www.zdnet.com/article/wordpress-deploys-forced-security-update-for-dangerous-bug-in-popular-plugin/https://plugins.trac.wordpress.org/changeset/2401010/loginizerhttps://wpdeeply.com/loginizer-before-1-6-4-sqli-injection/https://wpscan.com/vulnerability/10441https://www.zdnet.com/article/wordpress-deploys-forced-security-update-for-dangerous-bug-in-popular-plugin/
2020-10-21
Published
Exploited in the wild