WordPress, as any kind of web application, can have security risks. One of it is an injection of malicious code which is not intended by the WordPress owner to be executed. This type of security risk has been defined by OWASP.
Injection can happen because of several things:
- There is no validation, sanitation, or filtering on user-generated data
- Execution of queries without proper escaping
- Hostile data input in the system
WordPress community has wrote a handbook explaining best practices which can prevent injection. The core API of WordPress already has functions which can help developers to properly validate, escape, and filter data. Some examples such as esc_url() a function to sanitize URLs, wpdb::prepare() method to prepare SQL queries for safe execution, etc.