cleantalk
Vulnerabilities and Security Researches

AnWP Football Leagues, CVE-2025-8767

CVE, Research URL

CVE-2025-8767

Home page URL

Security reports for AnWP Football Leagues

Application

AnWP Football Leagues

Published on
Aug 12, 2025
Research Description
The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Affected versions
Min -, max 0.16.18.
Status
vulnerable
Previous vulnerability researches
GamiPress – Reset User (CVE-2024-8245) , May 19, 2025
GamiPress – Link (CVE-2024-5536) , Jun 07, 2024
GamiPress – Button (CVE-2024-2460) , Jun 06, 2024
GamiPress – Button (98ba15e94d5d1c2d4f99fb15090730d0e1b597a1) , Jun 06, 2024
GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress (CVE-2024-1799) , Jun 07, 2024
New vulnerability
RentSyst – CRM solution for fleet management (CVE-2025-48152) , Aug 12, 2025
Mosaic Generator (CVE-2025-8621) , Aug 12, 2025
B Slider – Slider for your block editor (CVE-2025-8418) , Aug 12, 2025
AnWP Football Leagues (CVE-2025-8767) , Aug 12, 2025
User Language Switch (CVE-2025-49064) , Aug 12, 2025