A popular plugin for WordPress called WP Activity Log has a security issue that could potentially allow hackers to inject harmful code into web pages. This can happen because the plugin does not properly clean up user input and protect against malicious code. As a result, attackers may be able to run their own code when a user visits a compromised page, even if they are not logged in.