The plugin does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection
- As unauthenticated, submit a form using =5+5 as value in any field
- As admin, export the data as CSV (/wp-admin/admin.php?page=fluent_forms&form_id=1&route=entries)
- open the CSV with a spreadsheet application (Excel, Libre Office)
- the CSV formula gets executed