The plugin does not properly escape fields when exporting data as CSV, leading to a CSV injection
- create a post using =5+5 as the title
- export the data as CSV (/wp-admin/admin.php?page=post-to-csv.php)
- open the CSV with a spreadsheet application (Excel, Libre Office)
- the CSV formula gets executed