{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8767", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-08T18:17:14.475Z", "datePublished": "2025-08-12T06:42:40.577Z", "dateUpdated": "2026-04-08T16:33:08.951Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:08.951Z"}, "affected": [{"vendor": "anwppro", "product": "AnWP Football Leagues", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.16.17", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration."}], "title": "AnWP Football Leagues <= 0.16.17 - Authenticated (Administrator+) CSV Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04676263-cdad-40cd-bb54-61beb727e09d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php#L93"}, {"url": "https://plugins.trac.wordpress.org/browser/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php#L265"}, {"url": "https://plugins.trac.wordpress.org/browser/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php#L58"}, {"url": "http://plugins.trac.wordpress.org/changeset/3342787/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File", "cweId": "CWE-1236", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-08-08T19:24:04.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-11T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-12T20:06:56.458368Z", "id": "CVE-2025-8767", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T20:07:51.764Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8767", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-12T20:06:56.458368Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T20:07:38.437Z"}}], "cna": {"title": "AnWP Football Leagues <= 0.16.17 - Authenticated (Administrator+) CSV Injection", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "anwppro", "product": "AnWP Football Leagues", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.16.17"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-08T19:24:04.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-11T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04676263-cdad-40cd-bb54-61beb727e09d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php#L93"}, {"url": "https://plugins.trac.wordpress.org/browser/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php#L265"}, {"url": "https://plugins.trac.wordpress.org/browser/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php#L58"}, {"url": "http://plugins.trac.wordpress.org/changeset/3342787/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php"}], "descriptions": [{"lang": "en", "value": "The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1236", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:08.951Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8767", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:33:08.951Z", "dateReserved": "2025-08-08T18:17:14.475Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-12T06:42:40.577Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration."}, {"lang": "es", "value": "El complemento AnWP Football Leagues para WordPress es vulnerable a la inyecci\u00f3n de CSV en todas las versiones hasta la 0.16.17 incluida, a trav\u00e9s de las funciones \u00abdownload_csv_players\u00bb y \u00abdownload_csv_games\u00bb. Esto permite a atacantes autenticados, con acceso de administrador o superior, incrustar informaci\u00f3n no confiable en archivos CSV exportados, lo que puede provocar la ejecuci\u00f3n de c\u00f3digo al descargar y abrir estos archivos en un sistema local con una configuraci\u00f3n vulnerable."}], "id": "CVE-2025-8767", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-12T07:15:30.733", "references": [{"source": "security@wordfence.com", "url": "http://plugins.trac.wordpress.org/changeset/3342787/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php#L265"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php#L58"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php#L93"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04676263-cdad-40cd-bb54-61beb727e09d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1236"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T22:22:48.801382+00:00", "value": {"mitigation_remediation": ["Update the AnWP Football Leagues plugin to version 0.16.18 or later, or any release that removes the vulnerable export functions.", "Restrict or remove the CSV export functionality from the plugin\u2019s user interface for all users except administrators, effectively blocking CSV downloads for non\u2011privileged accounts.", "Ensure that any remaining CSV export process sanitizes exported data by escaping leading characters such as =, +, -, @ or by explicitly prefixing values with a single quote to prevent formula evaluation in spreadsheet applications."], "summary": {"action": "Patch immediately", "impact": "Local code execution via CSV injection by authenticated administrators"}, "threat_synthesis": {"affected_systems": "All installations of the AnWP Football Leagues plugin with a version of 0.16.17 or earlier are affected. The vulnerability applies to the WordPress plugin developed by anwppro, which is responsible for managing football leagues and player data.", "description_and_impact": "The AnWP Football Leagues plugin for WordPress contains a CSV injection flaw in its download functions, allowing an attacker with administrator or higher privileges to embed malicious input into CSV files. When these files are downloaded and opened in applications such as Excel, the injected content can be interpreted as executable formulas, leading to local code execution on the client system. The CVSS score of 4.8 reflects this moderate severity and the need for privileged access to exploit the vulnerability.", "risk_and_exploitability": "The Exploit Prediction Scoring System indicates an exploitation probability of less than 1\u202f% and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting limited current exploitation activity. However, the requirement for administrator\u2011level access means that the risk escalates if attackers can compromise an admin account or if the plugin is exposed to social engineering. The attack vector is inferred to be local execution after the CSV is opened on a victim\u2019s machine, so securing admin credentials and limiting CSV usage are critical."}}}}, "created": "2025-08-12T19:53:23.547439+00:00", "updated": "2026-04-22T22:30:28.827981+00:00", "vendors": ["anwp", "anwp$PRODUCT$football_leagues", "wordpress", "wordpress$PRODUCT$wordpress"]}