Both flaws require that the attacker have an account on the website, but the account could be as low-level as a subscriber. WordPress sites by default allow any user on the web to create an account.
Support the originator by clicking the read the rest link below.