The plugin does not validate data when its output in a CSV file, which could lead to CSV injection.
- Submit a form (using Contact Form 7, Ninja Forms, Elementor Forms or WP Forms) using =5+5 as the value
- Export the data as CSV (/wp-admin/admin.php?page=vxcf_leads)
- Open the CSV with a spreadsheet application (Excel, Libre Office)
- The CSV formula gets executed