The plugin does not validate data when its output in a CSV file, which could lead to CSV injection.
- Submit an order using =5+5 as "first name" and empty "last name" (the plugin allows that).
- Export the data as CSV from Reports > Export.
- Open the CSV with a spreadsheet application (Excel, Libre Office).
- The CSV formula gets executed.