The plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection.
Iimport a CSV file containing the following in the header: 'term<b>" autofocus onfocus={alert('Complex\u0020XSS');alert(document.cookie);}//'"