Despite “Manual Security Review”, Brand New WordPress Plugin Contains Remote Code Execution (RCE) Vulnerability
Before new plugins are allowed in to WordPress’ plugin directory, they are claimed to go through a manual review:
After your plugin is manually reviewed, it will either be approved or you will be emailed and asked to provide more information and/or make corrections. [Read more]