Exports and Reports < 0.9.2 - Contributor+ CSV Injection
The plugin does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.
Proof of Concept
As a contributor, put the following payload in a Post title: =1+2
As admin, export a CSV using the plugin's feature (/wp-admin/admin.php?page=exports-reports-group-1), open it with OpenOffice/Excel etc and note that formula being processed