The plugin does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability.
- create a post using =5+5 as the title - export the data as CSV - open the CSV with a spreadsheet application (Excel, Libre Office) - the CSV formula gets executed