That’s what I have been pointing out a couple weeks (or is it months already, I lost count of time) ago.
We have developers in there that are not even featuring a real website. Webtoffe is one of them, not the only one thou.
Just one more example of many:
No idea who that is, website is a error, plugin on directory is 1.0.2, but in GIT the last release package is 1.0.3
That is as said not the only such occurrence.
I have asked before in other threads that the developers likely need to be revised. I also doubt a scan for those plugins ever was made, because again taking the last example plugin it says
Tested up to: 3.8.1
This shouldn’t even be on the repo.
phpcs --standard=WordPress acf-star-rating-field-master returned with more than 500 errors, some of which say
All output should be run through an escaping function[...]
[details removed as encompassing security issue and notified our Plugin Reviewers to look at it]
We need definitely more eyes on that repo