The plugin does not validate its form data when generating the exported CSV, which could lead to CSV injection.
Proof of Concept
- Submit a form using =5+5 as the value.
- Export the data as CSV (from: /wp-admin/admin.php?page=wpforms-entries - /wp-admin/admin.php?page=wpforms-tools&view=export&form=5&&).
- Open the CSV with a spreadsheet application (Excel, Libre Office).
- The CSV formula gets executed.