Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites
A critical security flaw has been disclosed in the WordPress “Abandoned Cart Lite for WooCommerce” plugin that’s installed on more than 30,000 websites. “This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met,” Defiant’s Wordfence said in an advisory. Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system. It impacts all versions of the plugin, including and prior to versions 5.14.2.
The people paid to train AI are outsourcing their work… to AI
It takes an incredible amount of data to train AI systems to perform specific tasks accurately and reliably. Many companies pay gig workers on platforms like Mechanical Turk to complete tasks that are typically hard to automate, such as solving CAPTCHAs, labeling data and annotating text. This data is then fed into AI models to train them. The workers are poorly paid and are often expected to complete lots of tasks very quickly.
Google backs creation of cybersecurity clinics with $20 million donation
Free medical clinics and legal aid clinics, where college students and their instructors help their communities while also learning more about their professions, are now commonplace. Google hopes to add cybersecurity clinics to that list. Google CEO Sundar Pichai pledged $20 million in grants on Thursday to support and expand the Consortium of Cybersecurity Clinics to introduce thousands of students to potential careers in cybersecurity, while also helping defend small government offices, rural hospitals and nonprofits from hacking.
SMS Phishers Harvested Phone Numbers, Shipment Data from UPS Tracking Tool
The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn’t be shipped unless the customer paid an added delivery fee. In a snail mail letter sent this month to Canadian customers, UPS Canada Ltd. said it is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered, and that it has been working with partners in its delivery chain to try to understand how the fraud was occurring.
Microsoft 365 users report Outlook, Teams won’t start or freezes
Network and IT admins have been dealing with ongoing Microsoft 365 issues this week, reporting that some end users cannot use Microsoft Outlook or other Microsoft 365 apps. The issues started Monday, with numerous admins contacting BleepingComputer to say that some of their users are experiencing disruptive issues in Microsoft Outlook, with the program not opening, freezing after opening, seeing delays in mail delivery, or errors saying there is no valid license associated with the user.
US ‘can’t PSA our way out’ of cyber vulnerability, CISA director says
Increased corporate responsibility and critical infrastructure protection for cybersecurity are two items the Cybersecurity and Infrastructure Security Agency will continue to prioritize as a means to secure digital networks across the country. During a Thursday Homeland Security Department meeting of the Cybersecurity Advisory Committee — established in June 2021 to provide agency leaders with guidance on cyber issues and comprised of CISA director-appointed experts from outside government — CISA director Jen Easterly walked the members through her agency’s upcoming national cyber defense priorities in conjunction with CSAC recommendations.