Minecraft Bukkit plugins are basically the wildwest. It's really hard to tell if something is intentional or not. I remember many years ago trying to find a motd (message of the day) plugin that would just display a message when you joined the server.
I found one that was simple enough, but it would ping home to check if there were any updates as well. Now it could have been just the developer trying to add a useful feature, but the cynic in me believes it's so that they could get IP addresses of the servers running the plugin.
It also had a debug command that wasn't authenticated that let you print the contents of any motd file in a folder. Except it didn't escape strings properly, so you could `../...` to escape out of that directory and print any file.
I have no idea if the author actually exploited this, or if they were a naive 14 year old writing their first plugin. If they were trying to exploit, I don't know which file they were going to print the contents of, but it definitely made me very suspicious.
> It also had a debug command that wasn't authenticated that let you print the contents of any motd file in a folder. Except it didn't escape strings properly, so you could `../...` to escape out of that directory and print any file.
That's hilarious and showcases how un-sandboxed those plugins are.
2b2t got backdoored several times this way. Several people had access to WorldEdit, creative mode, admin commands, etc.
Beyond ancient anarchy servers, right now the Minecraft mod community has been dealing with several supply chain attacks, deserialization vulnerabilities, and so on.
1. Make a legitimately useful Minecraft Bukkit plugin.
2. Wait for lots of installs.
3. Add a well-hidden backdoor that makes me "op" (admin) on any server I choose.
4. Surprise some mean op on a public server by suddenly banning him.
I got through step 2 then decided to stop there.