CVE-2025-8479
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2025-09-11

Assigner: Wordfence

Description
The Zoho Flow plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.14.1. This is due to missing or incorrect nonce validation on the zoho_flow_deactivate_plugin function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2025-09-11
Generated
2026-06-16
AI Q&A
2025-09-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-8479
EUVD
EUVD-2025-27632
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zoho flow 2.14.1
zoho flow 2.14.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Zoho Flow plugin for WordPress (up to version 2.14.1) is a Cross-Site Request Forgery (CSRF) issue. It occurs because the plugin's function zoho_flow_deactivate_plugin lacks proper nonce validation, which is a security token used to verify requests. This flaw allows an unauthenticated attacker to trick a site administrator into performing unintended actions, such as modifying typography settings, by making the administrator click on a malicious link that sends a forged request.

Impact Analysis

This vulnerability can allow an attacker to cause unauthorized changes to your WordPress site's Zoho Flow plugin settings without your consent. Specifically, an attacker could modify typography settings by tricking an administrator into clicking a malicious link. While it does not allow direct data theft or site takeover, it can lead to unauthorized configuration changes that may affect site appearance or behavior.

Detection Guidance

This vulnerability can be detected by checking if the Zoho Flow WordPress plugin is installed and running a vulnerable version (up to and including 2.14.1). Since the issue is a missing or incorrect nonce validation in the zoho_flow_deactivate_plugin function, detection involves verifying the plugin version. You can check the installed plugin version via WordPress CLI with the command: `wp plugin list --status=active | grep zoho-flow`. If the version is 2.14.1 or lower, the system is vulnerable. Additionally, monitoring for suspicious POST requests targeting plugin deactivation endpoints or unexpected changes in typography settings could indicate exploitation attempts, but no specific network commands are provided in the resources. [2]

Mitigation Strategies

The immediate mitigation step is to update the Zoho Flow WordPress plugin to version 2.14.2 or later, where the vulnerability has been patched by adding proper nonce validation to the zoho_flow_deactivate_plugin function. Until the update is applied, restrict administrative access to trusted users only and avoid clicking on suspicious links that could trigger forged requests. Additionally, monitor and restrict AJAX requests related to plugin deactivation if possible. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8479. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart