[HIGH] Plugin execute endpoint has no authentication

[Danieliushka]

Description

/api/plugins/execute POST endpoint accepts arbitrary commands with no authentication.

Location

src/routes/api/plugins/execute/+server.js

Impact

Any unauthenticated user can execute plugin commands.

Recommended Fix

Add auth check using createSupabaseServerClient(event) + supabase.auth.getUser().