Most Windows versions are at risk of remote, unprivileged attackers abusing RDP from the inside to hijack smart cards and get unauthorized file system access.
https://threatpost.com/windows-bug-rdp-exploit-unprivileged-users/177599/
The flaw, found in the Hashthemes Demo Importer plugin, allows any authenticated user to exsanguinate a vulnerable site, deleting nearly all database content and uploaded media.
https://threatpost.com/wordpress-plugin-bug-wipe-sites/175826/