The plugin does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled.
Proof of Concept
POST /wp-admin/admin.php?page=wp-postratings/postratings-options.php HTTP/1.1
Cookie: [admin cookies]