We have been using Gravity Forms on a number of high profile Wordpress installations and discovered a serious security issue with the 'export' feature. It seems that the download feature does not work. I have tested it in the latest version of Firefox (4.0) and Google Chrome (12.0.712.0 Dev Build) and it simply does not download (or even alerts the user of what has happened). Instead, it generates a file (perhaps temporarily) in a folder within the uploads directory. I assume that this is for streaming to the browser (when really it should be done on-the-fly using PHP headers instead of creating a hard-copy of the file).
As a result of the above, the user-sensitive data now becomes publicly accessible as the uploads directory requires 755 permissions as stated on Wordpress Documentation. To combat this issue, a permissions change (using .htaccess for example) to block access is required.
Can someone please advise on whether this is an issue you guys are aware of and if not, investigate, as it is and has been (for us) a serious security flaw.
P.S, The export did work in Safari.