Hello, i'm not really a security expert but i found a possible security issue that could be exploited (although most of the responsibility here relies in the plastic server admin of the company).
So, while i was testing plastic server on linux (on a Digital Ocean server) for the company i work for, i was unable to connect to the Web Admin Tool for some reason. So i decided to do all the settings manually by modifying the server .conf files (i'm also pretty sure that many people setup the server this way, specially if they have the production-ready .conf files lying around).
The possible security issue i'm talking about is that even if i can't access to the web admin tool, doesn't really mean that anyone else can't. So someone could access, generate a password, reset a repo user password and create havok in the repos. Since setting up or using the Web Admin Tool isn't mandatory for running up the server, i believe that an initial password should be generated (unencrypted initially, until prompted a password change in the first visit) OR setting up a Web Admin Tool password should be a mandatory process when installing the server.
So, of course, one solution here is to disable the Web Admin Tool (in the server.conf file) and also copy a webadmin.conf generated from other machine, just in case.