An unqualified plugins block will fetch plugin jars from the Maven repo at http://plugins.gradle.org. This is an insecure default - it should use https://plugins.gradle.org, similar to what the mavenCentral() and jcenter() functions default to.
Hi Kevin
Thanks for letting us know. We’ll take a look now and update here when resolved.
Kind Regards
Kon