Skip to content
Z-CMS is being built in the open on GitHub. Join the community

All posts

Building a Secure Plugin Marketplace for Z-CMS

Jul 12, 2026 · Z-SOFT Admin · 4 min read

Why a marketplace must be treated as a software supply-chain system

A marketplace is more than a ZIP download page

A plugin marketplace distributes executable code into production systems. It must therefore answer who created a package, whether it was modified, what permissions it requests, which versions are vulnerable and how an administrator can recover from a bad update.

Threat model

  • Typosquatting packages that imitate popular names.
  • A compromised publisher account releasing malicious updates.
  • Package modification during upload, storage or delivery.
  • Plugins requesting permissions unrelated to their purpose.
  • Vulnerable or malicious transitive dependencies.
  • Cross-tenant access or unauthorized data transfer.

Signed and immutable releases

Every published package should have a checksum and cryptographic signature. Z-CMS verifies the package before installation and does not permit an existing version to be overwritten.

Developer builds package
   ↓
Calculate SHA-256
   ↓
Sign release metadata
   ↓
Marketplace verifies
   ↓
CMS downloads and verifies again
{
  "package": "@z-cms/plugin-seo",
  "version": "1.3.0",
  "sha256": "6c8f...a9d2",
  "publisher": "z-soft",
  "signature": "MEUCIQD..."
}

If a publisher fixes a problem, it must release 1.3.1 rather than silently replacing 1.3.0. Immutable versions make checksums, lockfiles and rollback trustworthy.

Publisher identity and namespaces

Packages use organization namespaces such as @z-cms/plugin-seo or @community/plugin-forms. Organizations manage owners, maintainers, publishers and security reviewers. Marketplace badges can indicate official, verified, community or experimental status without implying perfect safety.

Permission transparency

{
  "permissions": [
    "content:read",
    "content:update",
    "settings:read"
  ]
}

Before installation, the admin sees a human-readable explanation of what the plugin can and cannot do. An update that adds users:read or unrestricted network access requires renewed approval rather than silent auto-update.

Runtime enforcement

Permissions are not only documentation. Every SDK call is checked inside the Core.

if (!permissions.has("users:read")) {
  throw new PermissionDeniedError("users:read");
}

Network permissions can be scoped to approved domains instead of granting unrestricted outbound access.

Multi-tenant boundaries

All plugin calls carry immutable tenant, plugin and request contexts assigned by the Core. Plugins never choose a tenant ID. Database, cache, storage and search layers add tenant scoping automatically.

{
  "tenantId": "tenant-a",
  "pluginId": "@z-cms/plugin-seo",
  "requestId": "req-123"
}

Security scanning pipeline

  1. Validate manifest structure, version compatibility and requested permissions.
  2. Scan dependencies for known vulnerabilities, typosquatting and suspicious install scripts.
  3. Run static analysis for obfuscation, eval, dynamic code generation and forbidden Node.js APIs.
  4. Scan for leaked API keys, tokens, private keys and environment files.
  5. Execute selected packages in a controlled analysis sandbox.
  6. Route high-risk permissions to manual review.

Release channels and advisories

Plugins may expose stable, beta, alpha and nightly channels. Production tenants can remain on stable while staging environments test beta versions. When a vulnerability is discovered, the marketplace publishes an advisory with affected and patched versions.

Security Advisory ZCMS-2026-001
Affected: @community/plugin-form-builder <= 2.4.1
Patched: 2.4.2
Severity: Critical

For severe incidents, the marketplace can block new installations, warn existing administrators and optionally suspend execution under an explicit policy.

Audit and data-transfer transparency

Installation, permission approval, activation, update, rollback and suspension events are recorded. Plugins that send content to external services must declare destination domains and data types so administrators can make an informed decision.

{
  "dataCollection": {
    "externalTransfer": true,
    "domains": ["api.example.com"],
    "dataTypes": ["article-content"]
  }
}

Reputation beyond star ratings

A useful trust profile includes install count, uninstall rate, crash rate, update frequency, security response time, supported CMS versions, last audit date and publisher history. A five-star score alone cannot represent operational quality.

Conclusion

Z-CMS approaches the marketplace as a software supply-chain platform. Signed immutable packages, verified identities, runtime permissions, scanning, tenant isolation, advisories and audit logs cannot guarantee that every plugin is safe, but they greatly reduce risk and give administrators meaningful control.

GitHub: https://github.com/zscontributor/z-cms
Website: https://z-cms.org