CVE-2025-8767 is a medium-severity vulnerability affecting the AnWP Football Leagues WordPress plugin, specifically all versions up to and including 0.16.17. The vulnerability is classified under CWE-1236, which pertains to improper neutralization of formula elements in CSV files, commonly known as CSV Injection. The issue arises in the plugin's 'download_csv_players' and 'download_csv_games' functions, which allow authenticated users with Administrator-level privileges or higher to export CSV files containing untrusted input. Because the plugin does not properly sanitize or neutralize formula characters (such as '=', '+', '-', '@') in the CSV output, an attacker can embed malicious spreadsheet formulas into exported CSV files. When these files are subsequently downloaded and opened in spreadsheet applications like Microsoft Excel or LibreOffice Calc, the embedded formulas may execute, potentially leading to code execution or other malicious actions on the local system. Exploitation requires high privileges (Administrator or above) and user interaction (opening the CSV file). The CVSS v3.1 base score is 4.8, reflecting network attack vector, low attack complexity, high privileges required, user interaction needed, and partial impact on confidentiality and integrity but no impact on availability. No known exploits are currently in the wild, and no patches have been published yet. This vulnerability highlights the risk of insufficient input sanitization in CSV exports, which can be leveraged for client-side attacks when trusted users handle exported data.

For European organizations using the AnWP Football Leagues plugin on WordPress sites, this vulnerability poses a risk primarily to administrators who export player or game data as CSV files. If an attacker with administrator access embeds malicious formulas into CSV exports, and these files are opened by other users or administrators on vulnerable spreadsheet software, it could lead to execution of arbitrary code or commands on local machines. This can compromise confidentiality by leaking sensitive data, integrity by altering data or executing unauthorized actions, and potentially lead to further compromise of internal systems. Although the vulnerability requires high privileges and user interaction, the impact can be significant in environments where exported CSV files are routinely shared or processed. European organizations involved in sports management, fan engagement, or related activities using this plugin are at risk. Additionally, the vulnerability could be leveraged in targeted attacks against organizations with lax internal controls or insufficient endpoint protections. The lack of a patch increases exposure until mitigations are applied.

1. Immediately restrict Administrator-level access to trusted personnel only, minimizing the risk of malicious input. 2. Avoid exporting CSV files using the vulnerable plugin functions until a patch is released. 3. Implement input validation and sanitization on all user-supplied data fields that may be included in CSV exports, specifically neutralizing or escaping formula characters such as '=', '+', '-', and '@'. 4. Educate users to open CSV files in spreadsheet applications with formula execution disabled or in safe modes to prevent automatic formula evaluation. 5. Employ endpoint security solutions that can detect and block suspicious macro or formula execution in office documents. 6. Monitor logs for unusual administrator activity related to CSV exports. 7. Once available, promptly apply vendor patches or updates addressing this vulnerability. 8. Consider using alternative plugins or custom export solutions that properly sanitize CSV content. 9. Implement network segmentation and least privilege principles to limit the impact of any potential compromise stemming from this vulnerability.