The plugin does not properly escape data when exporting it via CSV files.
PoC
- Edit your subscriber account’s nickname to: ;=1+3 2) As an administrator, export your users data via http://vulnerable-site.tld/wp-admin/tools.php?page=acui&tab;=export, and open the resulting CSV file in Excel or equivalent software.