Weekly threat roundup: Froala, WordPress, Siemens
Pulling together the most dangerous and pressing flaws that businesses need to patch


Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It's become typical, for example, to expect dozens of patches to be released on Microsoft's Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
XSS flaw found in Froala web editor
Bishop Fox researcher Chris Davis has uncovered a cross-site scripting (XSS) vulnerability in the Froala website editor used to build roughly 30,000.
Tracked as CVE-2021-28114, the vulnerability affects Foala versions 3.2.5 and earlier and is embedded in its HTML sanitisation parsing protocol, which allows attackers to bypass existing XSS protections. This is a high-risk flaw and can be triggered remotely.
Fraola is a what-you-see-is-what-you-get (WYSIWYG) HTML rich-text editor that's used in third-party sites to provide text editing functionality, including HTML text. The latest version of the application was released on 18 May this year and includes a patch for the flaw.
Critical zero-day found in WordPress plugin
A critical file upload vulnerability in the Fancy Product Designer WordPress plugin has been actively exploited by cyber criminals, according to researchers with Wordfence.
The flaw, tracked as CVE-2021-24370, is rated 9.8 on the CVSS threat severity scale and has been disclosed publicly with minimal details due to the fact it's under active exploitation. Hackers have been abusing the flaw in the plugin, which allows users to upload images and PDF files that can be added to listed products on their sites.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The flaw is possible to exploit in some configurations even if the plugin has been deactivated. All users, therefore, were initially urged to uninstall Fancy Product Designer until a patched version was made available, although this has now been released.
Siemens fixes series of automation products
Siemens has released patches for a critical memory protection flaw embedded in a set of automation products, which hackers could exploit to run arbitrary code to access memory.
The vulnerability, tagged CVE-2020-15782, is highly critical and affects seven products across Siemens' automation product series SIMATIC S7-1200 and S7-1500 CPU. These appliances are conventionally used to control applications and tasks for medium and complex mechanical engineering and factory plant buildings.
Hackers could exploit these flaws to remotely obtain read-write memory access, which can allow them to read data, as well as use this as a springboard to launch further attacks.
Siemens has strongly advised that operators enable password protection for S8 communication and configure additional access protections. They should also block remote client connections, prevent physical access to critical components, and ensure the vulnerable systems aren't connected to untrusted networks.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
Broadcom issues urgent alert over three VMware zero-days
News The firm says it has information to suggest all three are being exploited in the wild
By Solomon Klappholz Published
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
By Solomon Klappholz Published
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz Published
-
Vulnerability management complexity is leaving enterprises at serious risk
News Fragmented data and siloed processes mean remediation is taking too long
By Emma Woollacott Published
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
News Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
By Solomon Klappholz Published
-
Researchers claim an AMD security flaw could let hackers access encrypted data
News Using only a $10 test rig, researchers were able to pull off the badRAM attack
By Solomon Klappholz Published
-
A journey to cyber resilience
whitepaper DORA: Ushering in a new era of cyber security
By ITPro Published
-
A new framework for third-party risk in the European Union
whitepaper Report: DORA and cyber risk
By ITPro Published