SQL Injection exists in the Loginizer plugin before 1.3.6 for WordPress via the X-Forwarded-For HTTP header.
https://wpvulndb.com/vulnerabilities/8883
https://sv.wordpress.org/plugins/loginizer/#developers
https://blog.wpscans.com/sql-injection-and-csrf-security-vulnerability-in-loginizer/