After Jonathan Lampe, the founder of Cybertical, published his report on poor Wordpress security on many presidential candidates' web sites, the remaining campaigns took measures to secure their sites by March 2016. However, Hillary Clinton's campaign (worried about defecting Millennials) added a new and insecure "social" module that allowed anyone to send phishing messages (complete with links to malicious sites) to anyone else through Clinton's site. As a responsible security researcher, Lampe reached out to Clinton's campaign, and Politico later followed up on the same matter. However the campaign completely wiffed on their analysis of the issue, with Clinton's top tech (Stephanie Hannon) noting that the feature that allowed people to phish each other through Clinton's site was there "by design" Read the full report here (Clinton's phishing issue is covered on slides 101-118).
Update: the phishing feature was still available on Clinton's web site as of October 6, 2016.