Vulnerabilities and security researches forzoho-flow zoho-flow

Sep 29, 2024

CVE, Research URL: CVE-2024-47334
Home page URL: Security reports for Zoho Flow
Application: Zoho Flow
Date: Oct 09, 2024
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zoho Flow Zoho Flow for WordPress allows SQL Injection.This issue affects Zoho Flow for WordPress: from n/a through 2.7.1.
Affected versions: max 2.8.1.
Status: vulnerable

Apr 03, 2025

CVE, Research URL: CVE-2025-31408
Home page URL: Security reports for Zoho Flow
Application: Zoho Flow
Date: Apr 01, 2025
Research Description: Missing Authorization vulnerability in Zoho Flow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zoho Flow: from n/a through 2.13.3.
Affected versions: max 2.13.3.
Status: vulnerable

Apr 25, 2026

CVE, Research URL: CVE-2025-59568
Home page URL: Security reports for Zoho Flow
Application: Zoho Flow
Date: Sep 23, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Zoho Flow Zoho Flow zoho-flow allows Cross Site Request Forgery.This issue affects Zoho Flow: from n/a through <= 2.14.1.
Affected versions: max 2.14.2.
Status: vulnerable

CVE, Research URL: CVE-2025-8479
Home page URL: Security reports for Zoho Flow
Application: Zoho Flow
Date: Sep 11, 2025
Research Description: The Zoho Flow plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.14.1. This is due to missing or incorrect nonce validation on the zoho_flow_deactivate_plugin function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 2.14.2.
Status: vulnerable