There are approximately 30,000+ plugins and 2,000+ themes listed on the WordPress.org site. These themes and plugins are submitted for inclusion and are manually reviewed by volunteers before making them available on the repository.Inclusion of plugins and themes in the repository is not a guarantee that they are free from security vulnerabilities.
Guidelines are provided for plugin authors to consult prior to submission for inclusion in the repository, and extensive documentation about how to do WordPress theme development18 is provided on the WordPress.org site. Each plugin and theme has the ability to be continually developed by the plugin or theme owner, and any subsequent fixes or feature development can be uploaded to the repository and made available to users with that plugin or theme installed with a description of that change.
Site administrators are notified of plugins which need to be updated via their administration dashboard.When a plugin vulnerability is discovered by the WordPress Security Team, they contact the plugin author and work together to fix and release a secure version of the plugin.
If there is a lack of response from the plugin author or if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.
Source: WordPress › About » Security