Hi all,

Yesterday we were notified of some malicious actors using third-party plugins and software to allow them to do harmful actions on a server. By gaining access to PAPI commands via a force op in a third-party plugin/software, the malicious actors were able to utilize a vulnerable expansion ( Minepacks) to allow unverified expansions to be downloaded. We took immediate backend actions to protect all versions of PlaceholderAPI by removing unverified expansions from the API.


This update specifically removes the ‘ cloud_allow_unverified_expansions’ from the default configuration. After our backend actions, this config option was rendered useless, so do not worry if you still have it listed in your configuration file.

To access unverified expansions, users can still manually download them from https://api.extendedclip.com/all/


If you have any questions or need further assistance, please feel free to reach out to us in our Support Discord.


Thank you,
PlaceholderAPI Team