The problem

click- and hoverEvents are not removed when item and entity names are displayed in chat. This allows tricking players.

The easiest way to abuse this, is renaming an entity and hoping a player has disabled advanced tooltips, otherwise they will see the hover text and might notice that there is something fishy going on.

This is pretty problematic in combination with the EntityTag or name tags and Creative players since they can get any items even without commands (in vanilla using saved hotbars).
This is of course possible using the /tellraw command as well, but there it is possibly more obvious.

Example

1. Use the following command in a command block

   /summon armor_stand ~ ~ ~ {CustomName:"[\"\",{\"translate\":\"entity.minecraft.armor_stand\"},\"\\n\",{\"text\":\"<\",\"extra\":[{\"text\":\"RandomGuy\",\"clickEvent\":{\"action\":\"run_command\",\"value\":\"/say This could have been /op RandomGuy!\"}},\"> Please click my name to write a message directly to me\"]}]"}
   

2. Use the following command to have the name of the armor stand appear in chat

   /say @e[type=armor_stand,limit=1]
   

   → It looks like "RandomGuy" wrote something in chat

3. Click on "RandomGuy" to reply to them
   → You just executed an arbitrary command