Import and export users and customers < 1.20.5 - Subscriber+ CSV Injection

The plugin does not properly escape data when exporting it via CSV files.

PoC

1. Edit your subscriber account’s nickname to: ;=1+3 2) As an administrator, export your users data via http://vulnerable-site.tld/wp-admin/tools.php?page=acui&amp;tab;=export, and open the resulting CSV file in Excel or equivalent software.