The plugin does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue
Go to the Sign-up Sheets--> Add New.
Enter the following CSV Injection payload in the field "Title", "Details" and "Task" click on save button.
=cmd|' /C notepad'!'A1'
or
DDE ("cmd";"/C calc";"!A0")A0
After that click on "Export All as CSV " when admin open this downloaded csv file the csv injection payload get executed.
Note (WPScanTeam): To easily reproduce the issue: Create a new sheet with =1+2 as Title, then export it via the All Sheets > Export All as CSV, open it with OpenOffice or any other Spreadsheet viewer and note that the Title column is processed as formula, displaying 3 and not =1+2