Three high-severity WordPress plugin vulnerabilities this week span privilege escalation and cross-site scripting across e-commerce and payment processing plugins: Vitepos (CVE-2026-8157, CVSS 8.8, privilege escalation to WordPress administrator), ultimate-woocommerce-auction-pro (CVE-2026-4259, CVSS 7.1, reflected XSS), and Transbank Webpay (CVE-2026-6858, CVSS 7.1, stored XSS requiring no authentication at injection stage). None are KEV-listed and EPSS scores are low, but the Vitepos privilege escalation represents a realistic path to complete site takeover for any WordPress instance with external user registration or third-party access enabled.