The plug-in, which is installed in up to 1.3 million sites, has now been patched, but not everyone has updated or has auto-update enabled.
All previous versions of this plug-in are exposed to this vulnerability which paves the way for a SQL-injection attack on the database, potentially exposing all data.