diff --git a/app/controllers/admin/plugins_controller.rb b/app/controllers/admin/plugins_controller.rb
index 215331f3199..220543c88ab 100644
--- a/app/controllers/admin/plugins_controller.rb
+++ b/app/controllers/admin/plugins_controller.rb
@@ -16,7 +16,7 @@ class Admin::PluginsController < Admin::StaffController
     # version of their plugin name for a route.
     plugin = Discourse.plugins_by_name["discourse-#{params[:plugin_id]}"] if !plugin
 
-    raise Discourse::NotFound if !plugin
+    raise Discourse::NotFound if !plugin&.visible?
 
     render_serialized(plugin, AdminPluginSerializer, root: nil)
   end
diff --git a/spec/requests/admin/plugins_controller_spec.rb b/spec/requests/admin/plugins_controller_spec.rb
index e5edfdc8263..021c4d066c4 100644
--- a/spec/requests/admin/plugins_controller_spec.rb
+++ b/spec/requests/admin/plugins_controller_spec.rb
@@ -77,6 +77,14 @@ RSpec.describe Admin::PluginsController do
         expect(response.status).to eq(404)
         expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
       end
+
+      it "404s if the plugin is not visible" do
+        poll = Discourse.plugins_by_name["poll"]
+        poll.stubs(:visible?).returns(false)
+
+        get "/admin/plugins/poll.json"
+        expect(response.status).to eq(404)
+      end
     end
 
     context "when logged in as a moderator" do