This is a severe issue as the plugin is used by many popular WordPress themes and is also one of the most popular self installed plugins for WordPress.
The vulnerability allows pretty much anyone to gain access to the config file which then gives them access to the database and pretty much everything else. We are not going to publish the details of the vulnerability here for security reasons.
To make it worse the plugin developers patched the vulnerability silently (back in Februrary), not disclosing the issue and as a result leaving site owners unaware of the issue.
There is significant data showing that this vulnerability is being actively exploited online potentially putting thousands of websites at risk.
This highlights the issue of using themes that bundle plugins which often leaves users unaware of what plugins are in use and that they need to monitor their status. Some themes can also not provide proper notification for plugin updates.
You are advised to update the plugin to the latest version (4.2 or higher) to fix this issue. As always please backup your database and site before updating.