We recently ran the WordPress plugins included in ClassicPress’ plugin directory through a web-based automated security tool of ours and detected a couple with minor, but easy to detect, vulnerabilities. Both vulnerabilities had existed since their original version of their respective plugins, which isn’t a great sign for WordPress’ handling of the security of plugins, since new plugins are supposed to be reviewed for security. One of the vulnerable plugins was promptly fixed, but with the other, we haven’t even heard back from the developer. So in line with our reasonable disclosure policy, we have now disclosed that vulnerability. The ClassicPress Directory doesn’t look to have any information on how to report an issue like that in a plugin, so we are not sure how to address that with you.
We can also provide your team handling your plugin directory access to that tool if you start checking over the security of plugins you are adding to that.