Recently we had security audit on one our websites and this plugin showed a cross-site scripting vulnerability. From what I could tell this is happening on the MANAGE SUBSCRIPTIONS/comment-subscriptions page when JS is turned off and in the email input field. I was able to submit script tags and js.