The WHMpress plugin for WordPress is at risk of being hacked because of a vulnerability called Local File Inclusion. This means that people who are not logged in can access and run any files on the server, including ones that contain important information or code. This can be used to get around security measures, steal sensitive data, or even take control of a website by changing settings. This can be particularly dangerous if the plugin allows users to upload files, because even seemingly harmless files like images can be used to gain access. One way this vulnerability can be exploited is by changing the default role for new users to administrator, giving attackers full control over the website.