Login Sign Up

CVE-2025-8767

4.8 MEDIUM

📋 TL;DR

The AnWP Football Leagues WordPress plugin contains a CSV injection vulnerability that allows authenticated administrators to embed malicious formulas in exported CSV files. When these files are downloaded and opened in vulnerable spreadsheet applications (like Excel), they can execute arbitrary code on the user's system. This affects all WordPress sites using the plugin up to version 0.16.17.

💻 Affected Systems

Products:
  • AnWP Football Leagues WordPress plugin
Versions: All versions up to and including 0.16.17
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires administrator-level WordPress access to exploit. Impact depends on spreadsheet application configuration on victim systems.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with administrator access could craft CSV files containing malicious formulas that execute arbitrary code on victims' systems when opened, potentially leading to full system compromise.

🟠

Likely Case

Malicious administrators could export CSV files containing formulas that execute commands or steal data when opened by other users in vulnerable spreadsheet applications.

🟢

If Mitigated

With proper input validation and output escaping, CSV exports would contain sanitized data that cannot trigger formula execution.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires administrator access and depends on victim opening CSV files in vulnerable spreadsheet applications with automatic formula execution enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 0.16.18 or later

Vendor Advisory: http://plugins.trac.wordpress.org/changeset/3342787/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'AnWP Football Leagues'
4. Click 'Update Now' if available
5. If no update appears, download version 0.16.18+ from WordPress.org and manually update

🔧 Temporary Workarounds

Disable CSV export functionality

all

Temporarily disable the vulnerable CSV export features until patching is possible

Add to wp-config.php: define('ANWPFL_DISABLE_CSV_EXPORT', true);

Restrict administrator access

all

Review and minimize administrator accounts to reduce attack surface

🧯 If You Can't Patch

  • Implement strict access controls to limit who has administrator privileges
  • Educate users to never open CSV files from untrusted sources in spreadsheet applications with automatic formula execution

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → AnWP Football Leagues → Version. If version is 0.16.17 or lower, you are vulnerable.

Check Version:

wp plugin list --name='football-leagues-by-anwppro' --field=version

Verify Fix Applied:

After updating, verify version is 0.16.18 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Multiple CSV export requests from same administrator account
  • Unusual CSV download patterns

Network Indicators:

  • CSV file downloads containing formula characters (=, +, -, @) in data fields

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters CONTAINS "download_csv_players" OR parameters CONTAINS "download_csv_games")

📊 Metadata

CVE ID: CVE-2025-8767
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-1236
EPSS Score: 0.03% exploit probability (8.4th percentile)
Published: August 12, 2025
Last Updated: August 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8767, you might also want to check these:

CVE-2022-45360 9.8

This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-45810 9.8

This CVE describes a CSV injection vulnerability in the Icegram Express WordPress plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-46803 9.8

This vulnerability allows unauthenticated attackers to inject malicious formulas into CSV files expo...

Same vulnerability type (CWE-1236)