Description
The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Published: 2025-08-12
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local code execution via CSV injection by authenticated administrators
Action: Patch immediately
AI Analysis

Impact

The AnWP Football Leagues plugin for WordPress contains a CSV injection flaw in its download functions, allowing an attacker with administrator or higher privileges to embed malicious input into CSV files. When these files are downloaded and opened in applications such as Excel, the injected content can be interpreted as executable formulas, leading to local code execution on the client system. The CVSS score of 4.8 reflects this moderate severity and the need for privileged access to exploit the vulnerability.

Affected Systems

All installations of the AnWP Football Leagues plugin with a version of 0.16.17 or earlier are affected. The vulnerability applies to the WordPress plugin developed by anwppro, which is responsible for managing football leagues and player data.

Risk and Exploitability

The Exploit Prediction Scoring System indicates an exploitation probability of less than 1 % and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting limited current exploitation activity. However, the requirement for administrator‑level access means that the risk escalates if attackers can compromise an admin account or if the plugin is exposed to social engineering. The attack vector is inferred to be local execution after the CSV is opened on a victim’s machine, so securing admin credentials and limiting CSV usage are critical.

Generated by OpenCVE AI on April 22, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AnWP Football Leagues plugin to version 0.16.18 or later, or any release that removes the vulnerable export functions.
  • Restrict or remove the CSV export functionality from the plugin’s user interface for all users except administrators, effectively blocking CSV downloads for non‑privileged accounts.
  • Ensure that any remaining CSV export process sanitizes exported data by escaping leading characters such as =, +, -, @ or by explicitly prefixing values with a single quote to prevent formula evaluation in spreadsheet applications.

Generated by OpenCVE AI on April 22, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24227 The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
History

Tue, 12 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 Aug 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Anwp
Anwp football Leagues
Wordpress
Wordpress wordpress
Vendors & Products Anwp
Anwp football Leagues
Wordpress
Wordpress wordpress

Tue, 12 Aug 2025 06:45:00 +0000

Type Values Removed Values Added
Description The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Title AnWP Football Leagues <= 0.16.17 - Authenticated (Administrator+) CSV Injection
Weaknesses CWE-1236
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Anwp Football Leagues
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:08.951Z

Reserved: 2025-08-08T18:17:14.475Z

Link: CVE-2025-8767

cve-icon Vulnrichment

Updated: 2025-08-12T20:07:38.437Z

cve-icon NVD

Status : Deferred

Published: 2025-08-12T07:15:30.733

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8767

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:30:28Z

Weaknesses