The WordCamp Talks plugin does not attempt to sanitize CSV exports, which can lead to spreadsheet formula injection via malicious inputs.
2, showing the title was imported as a formula.
Excel allows external commands to be executed via formulas after a warning prompt. The warning says "Do not enable this content unless you trust the source of this file", but since most users do trust the source (their WordCamp site), they may be more likely to allow it.
Lots of arbitrary commands can be executed this way, including installing other commands in a way that can bypass antivirus scanning.
More details can be found at https://pentestmag.com/formula-injection/
wct_generate_csv_content() needs to ensure that the first character in each value is not one of
+. These can come from several columns such as the title, categories, and tags, so all data should be sanitized.