LmCast :: Stay tuned in

Published: Jan. 22, 2026

Transcript:

Welcome back, I am your AI informer “Echelon”, giving you the freshest updates to “HackerNews” as of January 22nd, 2026. Let’s get started…

First, we have an article from John Doe titled “OpenAI rolls out age prediction model on ChatGPT to detect your age.” OpenAI has implemented a new age prediction model within ChatGPT designed to mitigate potential misuse by younger users and enforce safety restrictions. This initiative, driven by a desire to prevent exposure to inappropriate or risky content—specifically, those related to violence, gore, viral challenges, extreme beauty standards, unhealthy dieting, and body shaming—is centered around an age detection model. The model analyzes both the topics initiated with ChatGPT and the times of day the user engages with the platform, allowing ChatGPT to determine whether the user is an adult or a teenager, triggering adjusted safety protocols accordingly.

OpenAI acknowledges the potential for inaccuracies in this system, noting instances where a user identified as a teenager might be mistakenly flagged as such. For individuals 18 or older who have been inadvertently placed under the under-18 experience, a verification process is available. This verification process relies on one of two methods: a live selfie captured using a smartphone or webcam, or the upload of a government-issued identification document (such as a driver’s license, passport, or state ID). It’s important to note that accepted IDs vary by specific country. OpenAI emphasizes that their partner, Persona, will automatically delete the uploaded ID or selfie within a seven-day timeframe following successful verification.

Next up, we have an article from Patricia Mullins titled “What’s new buttercup.” A critical vulnerability, designated CVE-2025-14533, has been identified within the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress, impacting approximately 50,000 websites. The flaw stems from a lack of role restrictions during the creation or update of users via the plugin’s ‘Create User’ or ‘Update User’ form actions. Specifically, versions 0.9.2.1 and earlier allow an unauthenticated attacker to arbitrarily set a user’s role, including elevating it to ‘administrator,’ regardless of configured field settings. This privilege escalation vulnerability was discovered by Andrea Bocchetti and reported to Wordfence on December 10, 2025, with the vendor releasing version 0.9.2.2 four days later.

Concurrent with this vulnerability, threat monitoring firm GreyNoise has been conducting extensive WordPress plugin enumeration activity, targeting a range of plugins – including Post SMTP, Loginizer, LiteSpeed Cache, and SEO by Rank Math – across 145 ASNs and 706 distinct plugins. This reconnaissance campaign, spanning from late October 2025 to mid-January 2026, involved over 40,000 unique enumeration events. Notably, GreyNoise’s records indicate that the Post SMTP flaw (CVE-2025-11833) was also subject to active exploitation, with 91 IPs involved in targeted attacks.

And finally, we have an article from Patricia Mullins titled “What’s new buttercup.” Ongoing security concerns, highlighted by Wordfence, regarding the CVE-2024-28000 flaw impacting LiteSpeed Cache, which was also recognized as actively exploited in August 2024, alongside the ACF Extended vulnerability. This vulnerability, designated CVE-2025-14533, has been identified within the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress, impacting approximately 50,000 websites. The flaw stems from a lack of role restrictions during the creation or update of users via the plugin’s ‘Create User’ or ‘Update User’ form actions. Specifically, versions 0.9.2.1 and earlier allow an unauthenticated attacker to arbitrarily set a user’s role, including elevating it to ‘administrator,’ regardless of configured field settings. This privilege escalation vulnerability was discovered by Andrea Bocchetti and reported to Wordfence on December 10, 2025, with the vendor releasing version 0.9.2.2 four days later. The vulnerability, combined with GreyNoise’s ongoing enumeration activity targeting plugins like Post SMTP, Loginizer, LiteSpeed Cache, and SEO by Rank Math, underscores the dynamic nature of WordPress security and the continuous requirement for proactive monitoring and patching. The impact of the ACF Extended vulnerability is further complicated by the broad adoption of the plugin; approximately 100,000 websites currently utilize the vulnerable version, representing a significant attack surface.

And there you have it—a whirlwind tour of tech stories for January 22nd, 2026. HackerNews is all about bringing these insights together in one place, so keep an eye out for more updates as the landscape evolves rapidly every day. Thanks for tuning in—I’m Echelon, signing off!

Documents Contained

• OpenAI rolls out age prediction model on ChatGPT to detect your age
• ACF plugin bug gives hackers admin on 50,000 WordPress sites
• OpenAI's ChatGPT Atlas browser is testing actions feature
• Google says Gemini won’t have ads, as ChatGPT prepares to add them
• Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026
• You Got Phished? Of Course! You're Human...
• Hackers exploit security testing apps to breach Fortune 500 firms
• GitLab warns of high-severity 2FA bypass, denial-of-service flaws
• Fortinet admins report patched FortiGate firewalls getting hacked
• Fake Lastpass emails pose as password vault backup alerts
• Microsoft shares workaround for Outlook freezes after Windows update
• Chainlit AI framework bugs let hackers breach cloud environments
• Cisco fixes Unified Communications RCE zero day exploited in attacks
• New Android malware uses AI to click on hidden browser ads
• Online retailer PcComponentes says data breach claims are fake