The plugin contains a Local File Inclusion (LFI) vulnerability due to the plugin does not sanitize comment_file attribute in the cusrev_reviews shortcode, which makes it possible for authenticated attackers with a role as low as contributor to include arbitrary files.