The theme does not sanitise and escape some parameters, which could allow users with a role as low as a subscriber to perform Stored Cross-Site Scripting attacks.
As a candidate, add the following payload on the Social Network option: javascript:alert(1)
As a recruiter, access the candidate page and click on the Social Network icon to see the payload trigger the alert.