CVE-2025-8767: 
WordPress vulnerability analysis and mitigation

The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in versions up to and including 0.16.17. The vulnerability exists in the 'downloadcsvplayers' and 'downloadcsvgames' functions. This security issue was discovered and disclosed on August 12, 2025 (NVD).

The vulnerability allows authenticated attackers with Administrator-level access to embed untrusted input into exported CSV files. The issue stems from insufficient sanitization in the CSV export functionality, specifically in the 'downloadcsvplayers' and 'downloadcsvgames' functions. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.8 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) and is classified as CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) (NVD).

When exploited, this vulnerability can result in code execution when the exported CSV files are downloaded and opened on a local system with a vulnerable configuration. This could potentially lead to unauthorized code execution on the user's system who opens the maliciously crafted CSV file (NVD).

The vulnerability has been patched in version 0.16.18 of the AnWP Football Leagues plugin. The fix includes implementing proper CSV cell sanitization to prevent formula injection. Users are advised to update to this version or later to mitigate the vulnerability (WordPress Plugin).