Warn the users about the vulnerability and prompt them to take action.
Personally speaking I wouldn’t allow anyone to access my website. I would change cms immediately if I suspected that someone used the cms to access my website’s setup and I would sue the company who did so.
Warning the users about the/any vulnerabilities on the plugins, if you know it of course, is more than enough by the side of the cms maintainers/developers.
But I think that you over thinking the matter. WP doesn’t even bother to do that. The average users usually choose plugins almost in blind based on reviews from other users. Who told you that all people are able to check out the code of a plugin after all?
The cms maintainers are not responsible for the actions of those who write the plugins and they can’t check out the universe. It is on the final users’ discretion and choices to keep their websites secure.
But what I’ve said previously is still valid. If you run way too many plugins you involve way too many code writers in the equation. The more these are the higher is the risk to get a plugin that is either in purpose or by mistake harmful for your website.