[Ennis]

The attack vector is not broad which makes the headline and story sensationalist.

Yes - plugins add risk because they are dynamic and have an uncontrolled upgrade path with potentially different or non-existent signing systems. That is why plugins and extensions are not allowed on the more-controlled and newer iOS.

I doubt this gets addressed very quickly - if anything it is easier and cheaper to audit all VLC extensions and introduce a signing system. Or to kill VLC's trusted cert/status altogether and treat it as a custom dev app - install-at-your-own-risk.