The vulnerability is a missing authorization check in the Zoho Flow WordPress plugin, identified as CWE‑862. It allows users who are not properly authenticated or authorized to perform actions, read data, or alter settings that should be restricted to administrators. Consequently, attackers could gain unauthorized administrative privileges or access sensitive data within the WordPress site and the connected Zoho Flow system. This flaw directly undermines confidentiality, integrity, and potentially availability if administrative actions are abused.

WordPress installations that have the Zoho Flow plugin v2.13.3 or earlier installed are affected. The issue spans all versions from the earliest released plugin version through v2.13.3.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of <1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could exploit exposed plugin endpoints without proper authentication, potentially via a remote web request that bypasses role checks. The lack of authorization enforcement is the root weakness, and the risk to a site that has the vulnerable plugin enabled is moderate but could be amplified if the plugin manages sensitive data or integrates with external services.