Admins of WordPress websites should update the CMS for security reasons. Otherwise, attackers could attack sites.
As can be seen from a warning message, attackers do not yet seem to have targeted the vulnerabilities. The information about the vulnerabilities is extremely sparse. There are no CVE numbers or a threat level classification in the post.
Attackers could probably perpetuate themselves persistently with an XSS attack on a WordPress website. As a rule, malicious code is stored on a server and delivered when the site is visited. In two other cases, it sounds like attackers could run their own SQL commands.