Whilst your imagination and remit is the only real limit with WordPress, it's important to remember that with plugins, your are expanding the core. Based on this, it's perfectly feasible to have a fully hardened WordPress installation significantly weakened by a poorly coded plugin that interacts with the core.
Such classic examples are XSS, user enumeration, and remote code execution. The increase in boxing parts also increases the exposure to risk. Do your due diligence.