Zoho Flow WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Zoho Flow plugin for WordPress, affecting versions through 2.14.1. The issue arises from inadequate nonce validation in the 'zoho_flow_deactivate_plugin' function, allowing unauthenticated attackers to alter typography settings by sending a forged request, provided they can persuade a site administrator to click a link.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in typography settings on the affected WordPress site.

Reproduction

To reproduce this vulnerability, an attacker must trick a site administrator into clicking a link that triggers the 'zoho_flow_deactivate_plugin' function without the proper nonce validation. This can be done by sending a forged request that exploits the missing nonce check, allowing the attacker to deactivate the plugin and potentially disrupt any associated workflows or functionalities.

Remediation

Users are advised to update the Zoho Flow WordPress plugin to version 2.14.2 or later, where this vulnerability has been patched.