The plugin does not properly escape fields when exporting data as CSV, leading to a CSV injection
- create a post using =5+5 as the title - export the data as CSV (/wp-admin/admin.php?page=post-to-csv.php) - open the CSV with a spreadsheet application (Excel, Libre Office) - the CSV formula gets executed