I've just sent this to the development team at Archive Of Our Own. If anyone reading this has influence with the team I'd strongly recommend that they take this on board and do something about it - it has the potential to be a major problem:
Just tried a test - posted a review on one of my own stories when I was logged out, using another address, then logged in and deleted it.
First, the address I used didn't receive any request for confirmation that the owner of the email account had really posted the review. The potential for malicious reviewing should be obvious.
Second, the address didn't receive any notification that the review had been deleted. This has some interesting implications if (for example) a review is a complaint that the story is plagiarised.
I would strongly suggest that there should be some attempt to verify that reviews are genuine, and that reviewers should be notified if reviews are deleted.