CVE-2025-8767
BaseFortify
Publication date: 2025-08-12
Last updated on: 2025-08-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anwp | football_leagues | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1236 | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a CSV Injection in the AnWP Football Leagues WordPress plugin (versions up to 0.16.17). Authenticated users with Administrator-level access can inject malicious input into CSV files exported via the 'download_csv_players' and 'download_csv_games' functions. When these CSV files are downloaded and opened in spreadsheet software, the injected content can be interpreted as executable formulas, potentially leading to code execution on the local system.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with Administrator-level access to embed malicious formulas into exported CSV files. When these files are opened in spreadsheet applications, the formulas may execute, potentially leading to unauthorized code execution, data leakage, or other malicious actions on the local machine of the user opening the file.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if the vulnerable AnWP Football Leagues plugin version (up to 0.16.17) is installed and if CSV export functions ('download_csv_players' or 'download_csv_games') are accessible to authenticated users with Administrator-level access. You can check the plugin version in WordPress admin or via command line. For example, to check the plugin version via WP-CLI: `wp plugin get football-leagues --field=version`. Additionally, monitoring HTTP requests for access to CSV export endpoints or admin actions related to CSV downloads may help detect exploitation attempts. There are no specific commands provided in the resources for direct detection of exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the AnWP Football Leagues plugin to a version that includes the security fix which sanitizes CSV cell values to prevent CSV Injection (as introduced in the changeset described). If an update is not immediately available, restrict Administrator-level access to trusted users only, and avoid exporting or opening CSV files generated by the plugin until the issue is resolved. Applying the patch that sanitizes CSV cells by prefixing potentially dangerous formula characters with a single quote is the recommended fix. [2]