Today I learned: bind all your servers to 127.0.0.1
Didn't do this, people were joining directly to the main server (I didn't think this was going to be a issue since the auth plugin was in the main server) and spoofing UUIDs, allowing them to get any rank.
How they did spoof UUIDs? I don't know, but they were spoofing UUIDs and logging in via 127.0.0.1 (again, idk how), problem fixed after binding every server to 127.0.0.1
And another guy had the same issue, people spoofing UUIDs and logging in via 127.0.0.1, again, didn't bind the server to 127.0.0.1