Login

Tag Archives: Oracle

16 Nov 2022

CISA Provides No Explanation for Sponsoring Program That Directs Vulnerability Report Info to Hackers

CVE is a program that is supposed to provide unique identifiers for vulnerabilities and as we will get to shortly, it also is a path for directing software vulnerability reports away from developers to at least one security company selling non-public information on vulnerabilities to any hackers willing to pay them.

The footer of the website for the CVE program claims that it is sponsored by the US Deparment of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA): [Read more]

12 Oct 2022

Oracle’s Poor Handling of Security on Display With Its GloriaFood’s Restaurant Menu WordPress Plugin

As discussed in more detail in a separate post, the WordPress security provider Wordfence has been selling information to exploit unfixed vulnerabilities in a WordPress plugin with 10,000+ installs to any hackers willing to pay them $99, while claiming to engage in responsible disclosure. In looking into those vulnerabilities, we found that it isn’t the only company in the security business not looking great here.

The plugin in question doesn’t have a clear name. When installed in WordPress, it is labeled as “Menu – Ordering – Reservations”. On the WordPress Plugin Directory it is either named “Restaurant Menu” or “Restaurant Menu – Food Ordering System – Table Reservation”. Whatever the name is, it comes from GloriaFood, which is part of Oracle. Yes, that Oracle. The multi-billion dollar one. The one with a security business. [Read more]