I became aware, just now, of this issue with one of the plugins in the plugin directory: https://tracker.moodle.org/browse/CONTRIB-7516.
I can't see the issue, since it's a severe security issue. On the other hand, according to https://docs.moodle.org/dev/Moodle_security_procedures I shouldn't disclose the plugin involved. I have verified that the plugin enabled exposing our config.php in plain text, and I'm sure much worse can happened.
My question is: what is the responsibility of the plugin directory maintainers in cases like these? In this case, I think the plugin should be removed immediately from the directory (until the vulnerability is solved in a next version). I'm not sure how to deal with the communication with moodle admins that installed the plugin.