CVE-2020-27615
CRITICAL EXPLOITED IN THE WILD NUCLEIWordPress <1.6.4 - SQL Injection/XSS
Title source: llmDescription
The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip.
Exploits (2)
github
WORKING POC
by Sechunt3r · pythonpoc
https://github.com/Sechunt3r/CVE-POCs/tree/main/CVE-2020-27615
metasploit
WORKING POC
by h00die, red0xff, mslavco · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_loginizer_log_sqli.rb
Nuclei Templates (1)
WordPress Loginizer < 1.6.4 – Unauthenticated SQL Injection via `log` Parameter
CRITICALVERIFIEDby intelligent-ears
References (4)
Scores
CVSS v3
9.8
EPSS
0.8634
EPSS Percentile
99.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2021-04-12
InTheWild.io
2021-04-12
CWE
CWE-89
Status
published
Products (1)
loginizer/loginizer
< 1.6.4
Published
Oct 21, 2020
Tracked Since
Feb 18, 2026