This vulnerability is a Cross‑Site Request Forgery flaw that enables an attacker to cause a victim’s browser, while authenticated to the Zoho Flow WordPress plugin, to submit requests that the plugin accepts. By carrying out such malicious requests, an attacker could perform any action that the authenticated user can, potentially exposing or modifying data the user has access to. The weakness is identified as CWE‑352 and does not provide a direct path to execute arbitrary code or gain system‑level privileges.

The flaw affects the Zoho Flow WordPress plugin versions up to and including 2.14.1. Hosts running this plugin should check for installed versions and consider updating if they contain this or earlier releases.

The CVSS v3 base score of 4.3 indicates moderate overall risk, and the EPSS score is reported as less than 1 %, showing a very low probability of real‑world exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would typically attempt to exploit this flaw by tricking a logged‑in user into visiting a crafted link that submits a request to the site; because of the low exploitation rates and lack of privilege escalation, the threat is considered limited but still noteworthy for organizations that rely on the plugin for critical workflows.