The start of what you’re doing wrong can be explained by this quote:
which action attribute points to a file (download.csv.php) in my
plugin folder, that should not be shown, just prompt a file download
dialog for the csv dump.
and this code:
$core = $_POST['download'].'wp-load.php';
if(isset($_POST['download']) && is_file($core)){
require_once( $core );
What you’re basically doing is a) stepping outside of the WordPress environment and accessing some part of your plugin directly and b) then trying to load the WordPress environment from inside that file (and doing it in an extremely insecure manner, I might add).
Instead of doing that, it’s better to stay inside the WordPress environment to begin with and to override the output to be the way you want it to be.
A better way would be to stay in the admin, hook to admin_init, and detect when you need to get your CSV output and return that instead.
So for your form, do something like this:
<form method="post" id="download_form" action="">
<input type="submit" name="download_csv" class="button-primary" value="<?php _e('Download the log (.csv)', $this->localizationDomain); ?>" />
</form>
Notice no action is used here. This means it’s submitting back to your same admin page, with no changes. Now, you can detect that in whatever function you have connected to the admin_init action hook, like so:
global $plugin_page;
if ( isset($_POST['download_csv']) && $plugin_page == 'whatever' ) {
echo "HELLO"; die;
}
The $plugin_page global will be set to the page=whatever you have in your normal plugin’s settings screen. Instead of echoing “HELLO” like I did here, call a function in your plugin to generate and output that CSV properly, headers and all, and then die. Or something to that effect.
Note that this is simplistic, and may be insecure. You may also want to do a nonce and a capabilities check here, to ensure that the user is allowed to download this CSV and intended to do so.