CVE-2025-59568

Vulnerability

Overview

The Zoho Flow plugin for WordPress (versions up to and including 2.14.1) contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw arises from insufficient validation of request origins, allowing an attacker to craft malicious requests that are executed in the context of an authenticated administrator.

Exploitation

Details

To exploit this vulnerability, an attacker must trick a logged-in user with elevated privileges (such as an administrator) into clicking a crafted link or visiting a malicious page [1]. No direct authentication is required for the attacker; instead, the attack leverages the victim's active session to perform unauthorized actions.

Impact

Successful exploitation enables an attacker to force the victim to perform unintended actions within the Zoho Flow plugin, such as modifying configurations, creating or deleting flows, or altering settings [1]. This could lead to disruption of service or unauthorized data manipulation.

Mitigation

The vulnerability has been addressed in version 2.14.2 of the plugin [1]. Users are strongly advised to update immediately. Patchstack also recommends enabling auto-updates for vulnerable plugins to prevent future exploitation [1].