plugin messaging abuse leads to a catastrophic vulnerabiltiy in TradeSystem, a really popular minecraft plugin.
the popular plugin TradeSystem had a critical vulnerability with plugin messaging. you could:
.. and more!
there has been a patch to the github repository but it has not reached an official release yet. for now, please use this build or build from the develop branch.
this exploit relies on a relatively unknown fact of plugin messages not being secure when a proxy plugin isnt there to block them.
what tradesystem did was always register the plugin messaging channel instead of a configuration option enabling it. this enabled normal players to send custom payload packets on that channel pretending to be from the proxy, which allowed a cross-server trade being spoofed.
so this was the attack chain: