You are missing the point. This is a freemium plugin listed in the WordPress plugin directory. They (WordPress) are being negligent by exposing users to that kind of code without any warning, enabling users to install this directly from they WP Admin area.
One should expect at least a red flag, but as always they just care about numbers.
I completely get the point. We are looking at both sides of the same coin. Read my comment again. We are both describing the same problem from different angles.
You claim that WordPress has a responsibility to vet the submissions on their plugin repo in the same way that Apple vets apps on the app store.
I think this level of abstraction has made web operators lazy. I think WordPress.org has a responsibility to host everybody's code and that it is your responsibility as a website operator to vet that code before you let your server run it. Just because you pay for Github or financially contribute to an app on Github doesn't shield you from bad code that another Github user has submitted.
Nevermind WordPress and all of the plugins they host are GPLv2, which means.....(verbatim) "BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW."
One should expect at least a red flag, but as always they just care about numbers.