Two high-severity WordPress plugin vulnerabilities are present this period: CVE-2026-4347 (CVSS 8.1, CWE-22, path traversal in MW WP Form ≤5.1.0) allows unauthenticated attackers to move arbitrary server files including wp-config.php when file upload and database inquiry storage are both enabled, enabling full site takeover; and CVE-2026-1540 (CVSS 7.2, CWE-94, log poisoning to RCE in Spam Protect for Contact Form 7 <1.2.10) allows editor-level authenticated attackers to achieve remote code execution via PHP log injection. Neither is currently listed on CISA KEV and EPSS scores are low, but both carry RCE potential on production WordPress infrastructure. Both plugins have patches available and should be updated immediately; organizations should additionally audit editor-role accounts and implement WAF rules for path traversal and PHP header injection patterns.