'Plug-ins', as the name implies, are lines of code added to a site to allow programmes that are hosted on other servers to run on a website.
Many designers use them as a way of providing content or functionality that they do not have the time or talent to write themselves.
In many ways it makes sense because it saves having to 're-invent the wheel'. If someone, somewhere has expended energy and expense writing a useful and complicated programme, why not use that instead of writing one yourself?
The problem arises when website designers use plug-ins from unverified sources - which they often do to save money. In order to function, plug-ins must transmit some information both ways: to the site and from it. The problem is, neither you nor your website designer, can be sure exactly what information is being taken from your site or what other functions are being added.
The plug-in maybe gathering information about you and your clients; it might be placing code on your customers' PCs in order to glean personal information; it might be able to add unauthorised content to your site. A considerable amount of 'suspicious' plug-ins - offered for free or at discount - are now available on code sharing websites. I have checked their origins and many originate from Russia or China.
For this reason I do not use plug-ins.