I have the newest wordpress installed in “example.com”.
If I create the folder “example.com/my-app/” and there run index.php which fetches data from mysql, but not from the wordpress database (different user, different db), is there a security issue?
And if someone hacks into my wordpress account can they read the php files in “my-app/”?
Not as such, no.
I think so. As far as I know, in the default setting, WordPress does not offer the possibility of entering PHP code that gets executed, but there are plugins for that, e.g. Exec-PHP.
Seeing as an administrator can install such a plugin (or simply write one themselves) you have to assume that it is in fact possible to read and write PHP files from within WordPress if somebody gains access to the administrator account.