Understanding vulnerabilities in plugin-based web systems: an exploratory study of wordpress. Mesa, O., Vieira, R., Viana, M. L., Durelli, V. H. S., Cirilo, E., Kalinowski, M., & Lucena, C. In Proceeedings of the 22nd International Conference on Systems and Software Product Line - Volume 1, SPLC 2018, Gothenburg, Sweden, September 10-14, 2018, pages 149–159, 2018. ![Understanding vulnerabilities in plugin-based web systems: an exploratory study of wordpress [pdf]](https://bibbase.org/img/filetypes/pdf.svg "pdf")
Author version doi abstract bibtex 1 download A common software product line strategy involves plugin-based web systems that support simple and quick incorporation of custom behaviors. As a result, they have been widely adopted to create web-based applications. Indeed, the popularity of ecosystems that support plugin-based development (e.g., WordPress) is largely due to the number of customization options available as communitycontributed plugins. However, plugin-related vulnerabilities tend to be recurrent, exploitable and hard to be detected and may lead to severe consequences for the customized product. Hence, there is a need to further understand such vulnerabilities to enable preventing relevant security threats. Therefore, we conducted an exploratory study to characterize vulnerabilities caused by plugins in web-based systems. To this end, we went over WordPress vulnerability bulletins cataloged by the National Vulnerability Database as well as associated patches maintained by theWordPress plugins repository. We identified the main types of vulnerabilities caused by plugins as well as their impact and the size of the patch to fix the vulnerability. Moreover, we identified the most common security-related topics discussed among WordPress developers. We observed that, while plugin-related vulnerabilities may have severe consequences and might remain unnoticed for years before being fixed, they can commonly be mitigated with small and localized changes to the source code. The characterization helps to provide an understanding on how typical plugin-based vulnerabilities manifest themselves in practice. Such information can be helpful to steer future research on plugin-based vulnerability detection and prevention.
@inproceedings{MesaVVDCKL18,
author = {Oslien Mesa and
Reginaldo Vieira and
Marx L. Viana and
Vinicius H. S. Durelli and
Elder Cirilo and
Marcos Kalinowski and
Carlos Lucena},
title = {Understanding vulnerabilities in plugin-based web systems: an exploratory
study of wordpress},
abstract = {A common software product line strategy involves plugin-based web systems that support simple and quick incorporation of custom behaviors. As a result, they have been widely adopted to create web-based applications. Indeed, the popularity of ecosystems that support plugin-based development (e.g., WordPress) is largely due to the number of customization options available as communitycontributed plugins. However, plugin-related vulnerabilities tend to be recurrent, exploitable and hard to be detected and may lead to severe consequences for the customized product. Hence, there is a need to further understand such vulnerabilities to enable preventing relevant security threats. Therefore, we conducted an exploratory study to characterize vulnerabilities caused by plugins in web-based systems. To this end, we went over WordPress vulnerability bulletins cataloged by the National Vulnerability Database as well as associated patches maintained by theWordPress plugins repository. We identified the main types of vulnerabilities caused by plugins as well as their impact and the size of the patch to fix the vulnerability. Moreover, we identified the most common security-related topics discussed among WordPress developers. We observed that, while plugin-related vulnerabilities may have severe consequences and might remain unnoticed for years before being fixed, they can commonly be mitigated with small and localized changes to the source code. The characterization helps to provide an understanding on how typical plugin-based vulnerabilities manifest themselves in practice. Such information can be helpful to steer future research on plugin-based vulnerability detection and prevention.},
booktitle = {Proceeedings of the 22nd International Conference on Systems and Software
Product Line - Volume 1, {SPLC} 2018, Gothenburg, Sweden, September
10-14, 2018},
pages = {149--159},
year = {2018},
urlAuthor_version = {http://www.inf.puc-rio.br/~kalinowski/publications/MesaVVDCKL18.pdf},
doi = {10.1145/3233027.3233042},
}
Downloads: 1
{"_id":"CaXb6LzP67pvu6gPo","bibbaseid":"mesa-vieira-viana-durelli-cirilo-kalinowski-lucena-understandingvulnerabilitiesinpluginbasedwebsystemsanexploratorystudyofwordpress-2018","downloads":1,"creationDate":"2018-05-17T20:52:10.851Z","title":"Understanding vulnerabilities in plugin-based web systems: an exploratory study of wordpress","author_short":["Mesa, O.","Vieira, R.","Viana, M. L.","Durelli, V. H. S.","Cirilo, E.","Kalinowski, M.","Lucena, C."],"year":2018,"bibtype":"inproceedings","biburl":"https://bibbase.org/f/2Gq6bNPQ845THHiMW/KalinowskiPapers.bib","bibdata":{"bibtype":"inproceedings","type":"inproceedings","author":[{"firstnames":["Oslien"],"propositions":[],"lastnames":["Mesa"],"suffixes":[]},{"firstnames":["Reginaldo"],"propositions":[],"lastnames":["Vieira"],"suffixes":[]},{"firstnames":["Marx","L."],"propositions":[],"lastnames":["Viana"],"suffixes":[]},{"firstnames":["Vinicius","H.","S."],"propositions":[],"lastnames":["Durelli"],"suffixes":[]},{"firstnames":["Elder"],"propositions":[],"lastnames":["Cirilo"],"suffixes":[]},{"firstnames":["Marcos"],"propositions":[],"lastnames":["Kalinowski"],"suffixes":[]},{"firstnames":["Carlos"],"propositions":[],"lastnames":["Lucena"],"suffixes":[]}],"title":"Understanding vulnerabilities in plugin-based web systems: an exploratory study of wordpress","abstract":"A common software product line strategy involves plugin-based web systems that support simple and quick incorporation of custom behaviors. As a result, they have been widely adopted to create web-based applications. Indeed, the popularity of ecosystems that support plugin-based development (e.g., WordPress) is largely due to the number of customization options available as communitycontributed plugins. However, plugin-related vulnerabilities tend to be recurrent, exploitable and hard to be detected and may lead to severe consequences for the customized product. Hence, there is a need to further understand such vulnerabilities to enable preventing relevant security threats. Therefore, we conducted an exploratory study to characterize vulnerabilities caused by plugins in web-based systems. To this end, we went over WordPress vulnerability bulletins cataloged by the National Vulnerability Database as well as associated patches maintained by theWordPress plugins repository. We identified the main types of vulnerabilities caused by plugins as well as their impact and the size of the patch to fix the vulnerability. Moreover, we identified the most common security-related topics discussed among WordPress developers. We observed that, while plugin-related vulnerabilities may have severe consequences and might remain unnoticed for years before being fixed, they can commonly be mitigated with small and localized changes to the source code. The characterization helps to provide an understanding on how typical plugin-based vulnerabilities manifest themselves in practice. Such information can be helpful to steer future research on plugin-based vulnerability detection and prevention.","booktitle":"Proceeedings of the 22nd International Conference on Systems and Software Product Line - Volume 1, SPLC 2018, Gothenburg, Sweden, September 10-14, 2018","pages":"149–159","year":"2018","urlauthor_version":"http://www.inf.puc-rio.br/~kalinowski/publications/MesaVVDCKL18.pdf","doi":"10.1145/3233027.3233042","bibtex":"@inproceedings{MesaVVDCKL18,\r\n author = {Oslien Mesa and\r\n Reginaldo Vieira and\r\n Marx L. Viana and\r\n Vinicius H. S. Durelli and\r\n Elder Cirilo and\r\n Marcos Kalinowski and\r\n Carlos Lucena},\r\n title = {Understanding vulnerabilities in plugin-based web systems: an exploratory\r\n study of wordpress},\r\n abstract = {A common software product line strategy involves plugin-based web systems that support simple and quick incorporation of custom behaviors. As a result, they have been widely adopted to create web-based applications. Indeed, the popularity of ecosystems that support plugin-based development (e.g., WordPress) is largely due to the number of customization options available as communitycontributed plugins. However, plugin-related vulnerabilities tend to be recurrent, exploitable and hard to be detected and may lead to severe consequences for the customized product. Hence, there is a need to further understand such vulnerabilities to enable preventing relevant security threats. Therefore, we conducted an exploratory study to characterize vulnerabilities caused by plugins in web-based systems. To this end, we went over WordPress vulnerability bulletins cataloged by the National Vulnerability Database as well as associated patches maintained by theWordPress plugins repository. We identified the main types of vulnerabilities caused by plugins as well as their impact and the size of the patch to fix the vulnerability. Moreover, we identified the most common security-related topics discussed among WordPress developers. We observed that, while plugin-related vulnerabilities may have severe consequences and might remain unnoticed for years before being fixed, they can commonly be mitigated with small and localized changes to the source code. The characterization helps to provide an understanding on how typical plugin-based vulnerabilities manifest themselves in practice. Such information can be helpful to steer future research on plugin-based vulnerability detection and prevention.},\r\n booktitle = {Proceeedings of the 22nd International Conference on Systems and Software\r\n Product Line - Volume 1, {SPLC} 2018, Gothenburg, Sweden, September\r\n 10-14, 2018},\r\n pages = {149--159},\r\n year = {2018},\r\n urlAuthor_version = {http://www.inf.puc-rio.br/~kalinowski/publications/MesaVVDCKL18.pdf},\r\n doi = {10.1145/3233027.3233042},\r\n}\r\n\r\n\r\n","author_short":["Mesa, O.","Vieira, R.","Viana, M. L.","Durelli, V. H. S.","Cirilo, E.","Kalinowski, M.","Lucena, C."],"key":"MesaVVDCKL18","id":"MesaVVDCKL18","bibbaseid":"mesa-vieira-viana-durelli-cirilo-kalinowski-lucena-understandingvulnerabilitiesinpluginbasedwebsystemsanexploratorystudyofwordpress-2018","role":"author","urls":{"Author version":"http://www.inf.puc-rio.br/~kalinowski/publications/MesaVVDCKL18.pdf"},"metadata":{"authorlinks":{"kalinowski, m":"https://www-di.inf.puc-rio.br/~kalinowski/publications.html"}},"downloads":1,"html":""},"search_terms":["understanding","vulnerabilities","plugin","based","web","systems","exploratory","study","wordpress","mesa","vieira","viana","durelli","cirilo","kalinowski","lucena"],"keywords":[],"authorIDs":["2QsG9mfJnwX6MTuoJ"],"dataSources":["JhEx5LqjNuowkDTYw","vp6ff9ZJkhXGDuh9E","fNxekpJ4iGWMdJryo","FPdHx2YNMWt6KHbaS","oL8GbjE74fizfjkxY","Wbj3iHa4hGsGjEGJE","q7rgFjFgwoTSGkm3G","aKfxcyv7C9p9ytdpG","9pAzChfPy53GguqQk","B8Jierr7smZsGa7Jb","tvqztEQv84agmtPEB","ZCce9uhx7vt9PXPrc","FGDKYBjH9upApdKoL"]}