The plugin does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability.
1. Add new person and put the following CSV calculator payload into the Display Name, Phone Number and Description field and save the entry.
payload : =cmd|' /C calc'!'A1' or =cmd|' /C calc'!A0
2. In the All People section, click on "Export CSV"
If the csv is opened in a vulnerable application, the payload will execute.