CVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
AI Analysis
Technical Summary
CVE-2025-8767 describes a CSV Injection vulnerability (CWE-1236) in the AnWP Football Leagues WordPress plugin affecting all versions up to 0.16.17. The issue arises from improper neutralization of formula elements in CSV exports generated by the 'download_csv_players' and 'download_csv_games' functions. Authenticated attackers with Administrator privileges can embed malicious input into CSV files, which may execute code when opened in vulnerable spreadsheet software. The CVSS 3.1 base score is 4.8, reflecting a medium severity with network attack vector, low attack complexity, high privileges required, and user interaction needed.
Potential Impact
An authenticated user with Administrator-level access can inject malicious formula code into CSV files exported by the plugin. This can lead to code execution on the local machine of anyone who opens the CSV file in a spreadsheet application that processes such formulas. The impact is limited by the requirement for high privileges and user interaction to open the file, resulting in a medium severity rating.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Administrator-level access to trusted users only and exercise caution when opening CSV files exported from this plugin. Consider sanitizing or validating CSV content before export to neutralize formula elements if possible.
CVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
Description
The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-8767 describes a CSV Injection vulnerability (CWE-1236) in the AnWP Football Leagues WordPress plugin affecting all versions up to 0.16.17. The issue arises from improper neutralization of formula elements in CSV exports generated by the 'download_csv_players' and 'download_csv_games' functions. Authenticated attackers with Administrator privileges can embed malicious input into CSV files, which may execute code when opened in vulnerable spreadsheet software. The CVSS 3.1 base score is 4.8, reflecting a medium severity with network attack vector, low attack complexity, high privileges required, and user interaction needed.
Potential Impact
An authenticated user with Administrator-level access can inject malicious formula code into CSV files exported by the plugin. This can lead to code execution on the local machine of anyone who opens the CSV file in a spreadsheet application that processes such formulas. The impact is limited by the requirement for high privileges and user interaction to open the file, resulting in a medium severity rating.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Administrator-level access to trusted users only and exercise caution when opening CSV files exported from this plugin. Consider sanitizing or validating CSV content before export to neutralize formula elements if possible.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-08-08T18:17:14.475Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 689ae392ad5a09ad002e817f
Added to database: 8/12/2025, 6:47:46 AM
Last enriched: 4/9/2026, 9:47:55 PM
Last updated: 5/10/2026, 7:21:44 AM
Views: 197
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.