Slides from my SocialCom-PASSAT/ 2012 presentation:
Teemu Koskinen, Petri Ihantola, Ville Karavirta (2012). Quality of WordPress Plug-Ins: An Overview of Security and User Ratings. In: SOCIALCOM-PASSAT ’12: Proceedings of the 2012 ASE/IEEE International Conference on Social Computing and 2012 ASE/IEEE International Conference on Privacy, Security, Risk and Trust. Washington, DC, USA: IEEE Computer Society, pp. 834–837. ISBN: 978-0-7695-4848-7.
doi: 10.1109/SocialCom-PASSAT.2012.31
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Quality of WordPress Plug-Ins: An Overview of Security and User Ratings
1. Teemu
Koskinen,
Petri
Ihantola,
and
Ville
Karavirta
Aalto
University,
Finland
Quality
Of
WordPress
Plug-‐Ins:
An
Overview
of
Security
and
User
Ra>ngs
2. The
Problem
Do
plugin
ra>ngs
predict
the
amount
of
implementa>on
related
vulnerabili>es
in
WordPress
plugins?
3. Data collection and analysis
1. Download a set of random plug-ins.
2. Collect their download statistics
and ratings from wordpress.org.
3. Use the RIPS vulnerability scanner
to detect potential vulnerabilities
4. Compare the the number of
potential vulnerabilities and
vulnerability densities to the star
ratings
We also reviewed some potential
vulnerabilities to find out if those are
real
4. Preliminary
Results
Sample
of
322
plugins
• total
of
3,792,711
downloads
• total
of
2,783
user
ra>ngs
• 179,393
lines
of
PHP
code
860
poten>al
security
bugs
were
discovered
from
127
plugins.
5. Preliminary
Results
60.6%
of
the
plug-‐ins
were
“clean”
and
most
of
the
others
had
only
few
vulnerabili>es
9. Conclusions
"Based
on
our
findings,
we
are
confident
that
there
are
real
risks
involved
when
using
third-‐party
plug-‐
ins
on
a
WordPress
site.
Many
plug-‐ins
appeared
not
to
be
vulnerable,
but
as
the
user
ra6ngs
and
download
counts
do
not
assist
in
finding
secure
plug-‐ins,
proper
inspec6on
should
be
done
by
sta6c
analysis
or
manual
review
before
using
any
plug-‐in
on
a
WordPress
site.
The
cost
of
soGware
development
and
fast
schedules
in
the
industry
make
installing
plug-‐ins
an
aHracIve
soluIon,
but
we
hope
our
findings
encourage
developers
to
take
the
6me
to
inspect
the
code
before
using
it."