AnWP Football Leagues CSV Injection Vulnerability

A CSV injection vulnerability has been identified in the AnWP Football Leagues plugin for WordPress, affecting all versions through 0.16.17. The vulnerability arises in the 'download_csv_players' and 'download_csv_games' functions, allowing authenticated attackers with Administrator-level access to inject malicious input into exported CSV files. When these files are opened in a local environment that is susceptible to such attacks, it could lead to unauthorized code execution.

Impact

Exploitation of this vulnerability could result in arbitrary code execution on the user's local system, triggered by opening the crafted CSV file in a vulnerable application such as Microsoft Excel.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can export player or game data as a CSV file using the AnWP Football Leagues plugin. During the export process, the user can inject malicious formulas into the data, which will be executed when the CSV file is opened in a program that processes such formulas, like Microsoft Excel.

Remediation

Users are advised to update the AnWP Football Leagues plugin to version 0.16.18 or later, where this vulnerability has been patched.