Three WordPress plugins covering file upload, email enumeration, and REST API data manipulation are all confirmed actively exploited and listed on CISA KEV. All three vulnerabilities require zero authentication, making mass automated exploitation trivial. Any organization running public-facing WordPress sites must audit plugin versions immediately and treat unpatched instances as compromised until confirmed clean.