The plugin does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it
Proof of Concept
On a page with a Quote Request form, upload the following CSV as an attachment:
"First Name","Last name","Email","Passport Number"
a,"=cmd|' /C calc'!A0","=1+2",d
The CSV injection will happen when an admin will download and open the CSV file from the All Quotes Dashboard