The plugin does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection
- As unauthenticated, submit a form using =5+5 as value in any field - As admin, export the data as CSV (/wp-admin/admin.php?page=fluent_forms&form;_id=1&route;=entries) - open the CSV with a spreadsheet application (Excel, Libre Office) - the CSV formula gets executed