Quality of WordPress Plug-Ins: An Overview of Security and User Ratings

Abstract

We have applied static analysis to find out how vulnerable the plugins available at the official Word Press plug in directory are to well known security exploits. We have compared the amount of potential vulnerabilities and vulnerability density to the user ratings, to determine if user ratings can be used for finding secure plugins. We conclude that the quality of the plugins varies and there is no clear correlation between the ratings of plugins and the number of vulnerabilities detected in them. Indeed, an additional manual review exposed a simple but severe SQL injection vulnerability in a plug in, which has both good user ratings and a high download count. We recommend plugins to be individually inspected for typical vulnerabilities before using them in any Word Press powered site.