A CSRF issue that allowed blind SQL injection in WordPress SEO by Yoast has been discovered by Ryan Dewhurst, developer of the WordPress vulnerability scanner WPScan.
Joost de Valk wrote: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database. While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue.
To fix the issue, upgrade the free version to version 1.7.4 right away. Because of the severity of the issue, the WordPress.org team put out a forced automatic update so many sites running this should be automatically updated (if your setup is allowing that) but you need to double check.
If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3.