Three distinct WordPress plugins carry high-severity vulnerabilities this week: Spectra Gutenberg Blocks (CVE-2026-7465, CVSS 8.8) allows authenticated Contributor-level RCE; Simple History (CVE-2026-7459, CVSS 7.5) enables Subscriber-level account takeover via log data exposure when experimental features are enabled; and GEO my WP (CVE-2026-9757, CVSS 7.5) exposes an unauthenticated SQL injection requiring no login. None carry CISA KEV listings and observed exploitation rates are currently low, but the combination of low authentication requirements and publicly disclosed attack paths elevates urgency. Patch status varies by plugin — GEO my WP patch availability is unconfirmed as of 2026-06-02.