The Yoast WordPress SEO plug-in has a serious cross-site scripting vulnerability, which can allow an attacker to force a susceptible site to execute erratic HTML code.
This bug was likely reported to the plug-in's developer about two years ago, but it was still in current versions up to 2.1.1.
The ‘snippet preview' functionality of the plugin was susceptible in versions prior to 2.2, which appeared to have been reported two years ago with the plug-in author having claimed that it was already repaired. Unfortunately, this is not the case. Researcher Charles Neill advises that if running this plug-in, update it to the latest version.
The vulnerability was fixed in version 2.2 of the plug-in as well as versions prior to 1.7.4.