Easy Digital Downloads < 184.108.40.206 - Unauthenticated CSV Injection
The plugin does not validate data when its output in a CSV file, which could lead to CSV injection.
Proof of Concept
- Submit an order using =5+5 as "first name" and empty "last name" (the plugin allows that).
- Export the data as CSV from Reports > Export.
- Open the CSV with a spreadsheet application (Excel, Libre Office).
- The CSV formula gets executed.