@jw-sbat Always make sure the plugins you are using are working fine before deploying to production. Even if the plugin doesn't specify compatibility directly it could still work. That property specifies a minimum nodebb version.
We had no reports of anyone altering socket.uid its a server side only value.
A while back there was a certain vulnerability (not NodeBB specific), I don't exactly remember what it was, but it allowed a user to mimic another user, even an admin, and do pretty much everything as that user.