The plugin did not sanitise some of its settings, allowing high privilege users such as administrators to set XSS payloads in them which will then be triggered in pages where reviews are enabled
1. Login to WordPress as an Administrator
2. Install and Activate plugin "WP Customer Reviews"
3. Click on "Reviews > Plugin Settings > Review Form Settings"
4. Insert the XSS payload (my XSS payload: <img src=x onerror=alert(1)>) into any field at "Standard fields on reviews" or/and "Custom fields on reviews", then click on "Save Changes".
5. Go to any post where Reviews are enabled to trigger the XSS