The plugin does not sanitise and escape reviews, which could allow users any authenticated users, such as Subscribers to perform Stored Cross-Site Scripting attacks
As a subscriber, submit a review (a page/post with [ms_reviews] embed) with the following payload: <script>alert(/XSS/)</script>
The XSS will be triggered when anyone (including an admin) will view the page/post in the frontend