The plugin does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues
Import the following CSV (as comment): comment_post_ID,comment_author,comment_content,comment_rating,comment_approved,user_id 1,admin,malicious,5,1,admin Then the XSS will be triggered in the post the comment has been imported (comment_post_ID)