The Easy Digital Downloads WordPress plugin prior to 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection.
sandhillsdev easy digital downloads