The plugin does not validate data when its output in a CSV file, which could lead to CSV injection.
- Submit an order using =5+5 as “first name” and empty “last name” (the plugin allows that). - Export the data as CSV from Reports > Export. - Open the CSV with a spreadsheet application (Excel, Libre Office). - The CSV formula gets executed.