CVE-2025-8767 is a CSV Injection vulnerability classified under CWE-1236 affecting the AnWP Football Leagues plugin for WordPress, specifically versions up to and including 0.16.17. The vulnerability exists in the 'download_csv_players' and 'download_csv_games' functions, which export player and game data into CSV files. Authenticated attackers with Administrator-level access or higher can inject malicious formula elements (e.g., starting with '=', '+', '-', or '@') into CSV fields. When these CSV files are opened in spreadsheet software such as Microsoft Excel or LibreOffice Calc, the embedded formulas can be executed, potentially leading to arbitrary code execution or command execution on the local system. This attack vector exploits the way spreadsheet applications interpret cell content as formulas. The vulnerability requires high privileges to exploit and user interaction to open the malicious file, which limits its exploitation scope. The CVSS v3.1 base score is 4.8, reflecting medium severity with network attack vector, low attack complexity, high privileges required, and user interaction needed. The vulnerability impacts confidentiality and integrity by enabling code execution through CSV files but does not affect availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was published on August 12, 2025, and assigned by Wordfence. Organizations using this plugin should be aware of the risk of CSV Injection and take appropriate mitigation steps.

The primary impact of CVE-2025-8767 is the potential for arbitrary code execution on client systems when malicious CSV files are opened in vulnerable spreadsheet applications. This can lead to unauthorized disclosure of sensitive information (confidentiality impact) and unauthorized modification or corruption of data (integrity impact). Since exploitation requires administrator-level access to the WordPress site, the initial compromise barrier is high, but once exploited, it can facilitate lateral movement or data exfiltration. The attack does not directly affect the availability of the WordPress site or the plugin. However, if exploited, it could undermine trust in the affected organization's data exports and potentially lead to broader compromise of internal systems if users open malicious CSV files. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially for organizations heavily reliant on the AnWP Football Leagues plugin for data management and reporting.

To mitigate CVE-2025-8767, organizations should implement the following specific measures: 1) Restrict Administrator-level access strictly to trusted personnel to reduce the risk of malicious CSV injection. 2) Sanitize and validate all user inputs that can be included in CSV exports, specifically neutralizing or escaping formula characters ('=', '+', '-', '@') at the start of any CSV field to prevent formula injection. 3) Educate users to avoid opening CSV files from untrusted or unauthenticated sources, especially those exported from the AnWP Football Leagues plugin. 4) Use spreadsheet software settings or plugins that disable automatic formula execution or prompt users before executing formulas in CSV files. 5) Monitor and audit CSV export activities within WordPress to detect unusual or unauthorized exports. 6) Follow the vendor’s updates closely and apply patches promptly once available. 7) Consider implementing Content Security Policy (CSP) and other WordPress security best practices to reduce the risk of privilege escalation that could lead to exploitation. 8) If feasible, temporarily disable CSV export functions until a patch is released or a secure workaround is implemented.