CVE-2025-8767 MEDIUM

CVE-2025-8767: AnWP Football Leagues <= 0.16.17 - Authenticated (Administrator+) CSV Injection

Vendor Anwppro
Product AnWP Football Leagues
Weakness CWE-1236
Published August 12, 2025
Last update April 8, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Explanation of Vulnerability in Simple Terms

02Summary

AnWP Football Leagues versions up to 0.16.17 contain a flaw that allows high-privilege users to perform limited unauthorized actions when a victim visits a malicious page. The vulnerability affects data confidentiality and integrity but not availability. Site administrators should update to a version newer than 0.16.17 to mitigate this risk.

What an attacker can do

03Attacker Capabilities

A high-privilege user can trick a victim into visiting a malicious page to read or modify limited data.

Potential impact on your site

04Site Impact

High-privilege accounts could be abused to leak or alter data if users are socially engineered into visiting attacker-controlled pages.

Conditions required to exploit

05Prerequisites

Attacker must have high-level site privileges; victim must click a malicious link or visit a crafted page.

Key dates

06Disclosure timeline

August 12, 2025 CVE published
April 8, 2026 Record updated