The WP Customer Reviews WordPress plugin prior to 3.7.1 does not validate a parameter allowing contributor and above users to redirect a page to a malicious URL
Vulmon