This one is pretty bad. Attackers could execute code remotely on your server thanks to a flaw in PHPMailer library. PHPMailer is used in a lot of places, including WordPress. I’ve disabled it preventively, as the most recent version of WP still includes the vulnerable PHPMailer. The downside is that my server will return error 500 when someone posts the comment and I won’t be notified by email, but the comments is posted and everything else works as expected.