Import and export users and customers < 1.20.5 - Subscriber+ CSV Injection
The plugin does not properly escape data when exporting it via CSV files.
Proof of Concept
1) Edit your subscriber account's nickname to: ;=1+3
2) As an administrator, export your users data via http://vulnerable-site.tld/wp-admin/tools.php?page=acui&tab=export, and open the resulting CSV file in Excel or equivalent software.