What the vulnerability does
01Description
The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Explanation of Vulnerability in Simple Terms
02Summary
AnWP Football Leagues versions up to 0.16.17 contain a flaw that allows high-privilege users to perform limited unauthorized actions when a victim visits a malicious page. The vulnerability affects data confidentiality and integrity but not availability. Site administrators should update to a version newer than 0.16.17 to mitigate this risk.
What an attacker can do
03Attacker Capabilities
A high-privilege user can trick a victim into visiting a malicious page to read or modify limited data.
Potential impact on your site
04Site Impact
High-privilege accounts could be abused to leak or alter data if users are socially engineered into visiting attacker-controlled pages.
Conditions required to exploit
05Prerequisites
Attacker must have high-level site privileges; victim must click a malicious link or visit a crafted page.
Key dates
06Disclosure timeline
August 12, 2025
CVE published
April 8, 2026
Record updated