cleantalk
Vulnerabilities and Security Researches

AnWP Football Leagues, CVE-2025-8767

CVE, Research URL

CVE-2025-8767

Home page URL

Security reports for AnWP Football Leagues

Application

AnWP Football Leagues

Published on
Aug 12, 2025
Research Description
The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Affected versions
Min -, max 0.16.18.
Status
vulnerable
Previous vulnerability researches
AnWP Football Leagues (CVE-2024-8917) , Sep 25, 2024
AnWP Football Leagues (CVE-2025-8767) , Aug 12, 2025
New vulnerability
String locator , Aug 13, 2025
Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler (CVE-2025-54028) , Aug 13, 2025
Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks (CVE-2025-54007) , Aug 13, 2025
WooCommerce Purchase Orders (CVE-2025-5391) , Aug 13, 2025
RentSyst – CRM solution for fleet management (CVE-2025-48152) , Aug 12, 2025