CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31408 – WordPress Zoho Flow plugin <= 2.13.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-31408
01 Apr 2025 — Missing Authorization vulnerability in Zoho Flow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zoho Flow: from n/a through 2.13.3. The Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above,... • https://patchstack.com/database/wordpress/plugin/zoho-flow/vulnerability/wordpress-zoho-flow-plugin-2-13-3-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31821 – WordPress Integration of Zoho CRM and Contact Form 7 plugin <= 1.0.6 - Open Redirection Vulnerability
https://notcve.org/view.php?id=CVE-2025-31821
01 Apr 2025 — URL Redirection to Untrusted Site ('Open Redirect') vulnerability in formsintegrations Integration of Zoho CRM and Contact Form 7 allows Phishing. This issue affects Integration of Zoho CRM and Contact Form 7: from n/a through 1.0.6. The Integration of Zoho CRM and Contact Form 7 plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.0.6. This is due to insufficient validation on a redirect url. This makes it possible for unauthenticated attackers to redirect users to po... • https://patchstack.com/database/wordpress/plugin/integration-of-zoho-crm-and-contact-form-7/vulnerability/wordpress-integration-of-zoho-crm-and-contact-form-7-plugin-1-0-6-open-redirection-vulnerability?_s_id=cve • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30900 – WordPress Zoho Billing – Embed Payment Form plugin <= 4.0 - Stored Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-30900
27 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Subscriptions Zoho Billing – Embed Payment Form allows Stored XSS. This issue affects Zoho Billing – Embed Payment Form: from n/a through 4.0. The Zoho Billing – Embed Payment Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with con... • https://patchstack.com/database/wordpress/plugin/zoho-subscriptions/vulnerability/wordpress-zoho-billing-embed-payment-form-plugin-4-0-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49297 – WordPress Zoho CRM Lead Magnet plugin <= 1.7.9.0 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-49297
15 Oct 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zoho CRM Zoho CRM Lead Magnet allows SQL Injection.This issue affects Zoho CRM Lead Magnet: from n/a through 1.7.9.0. The Zoho CRM Lead Magnet plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.7.9.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers,... • https://patchstack.com/database/vulnerability/zoho-crm-forms/wordpress-zoho-crm-lead-magnet-plugin-1-7-9-0-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47633 – WordPress Zoho forms plugin <= 4.0 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-47633
30 Sep 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zoho Forms allows Stored XSS.This issue affects Zoho Forms: from n/a through 4.0. The Zoho Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that wil... • https://patchstack.com/database/vulnerability/zoho-forms/wordpress-zoho-forms-plugin-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47334 – WordPress Zoho Flow for WordPress plugin <= 2.7.1 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-47334
26 Sep 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zoho Flow Zoho Flow for WordPress allows SQL Injection.This issue affects Zoho Flow for WordPress: from n/a through 2.7.1. The Zoho Flow for WordPress plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated atta... • https://patchstack.com/database/vulnerability/zoho-flow/wordpress-zoho-flow-plugin-2-7-1-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38696 – WordPress Zoho CRM Lead Magnet plugin <= 1.7.8.8 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-38696
11 Jul 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zoho CRM Zoho CRM Lead Magnet allows Reflected XSS.This issue affects Zoho CRM Lead Magnet: from n/a through 1.7.8.8. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Zoho CRM Zoho CRM Lead Magnet permite XSS reflejado. Este problema afecta a Zoho CRM Lead Magnet: desde n/a hasta 1.7.8.8. The Zoho CRM Lead Magnet plugin f... • https://patchstack.com/database/vulnerability/zoho-crm-forms/wordpress-zoho-crm-lead-magnet-plugin-1-7-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38752 – WordPress Zoho Campaigns plugin <= 2.0.8 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-38752
11 Jul 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zoho Campaigns allows Cross-Site Scripting (XSS).This issue affects Zoho Campaigns: from n/a through 2.0.8. The Zoho Campaigns plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrar... • https://patchstack.com/database/vulnerability/zoho-campaigns/wordpress-zoho-campaigns-plugin-2-0-8-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37225 – WordPress Zoho Marketing Automation plugin <= 1.2.7 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-37225
21 Jun 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zoho Marketing Automation.This issue affects Zoho Marketing Automation: from n/a through 1.2.7. Neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ("inyección SQL") en Zoho Marketing Automation. Este problema afecta a Zoho Marketing Automation: desde n/a hasta 1.2.7. The Zoho Marketing Automation plugin for WordPress is vulnerable to SQL Injection in versions u... • https://patchstack.com/database/vulnerability/zoho-marketinghub/wordpress-zoho-marketing-automation-plugin-1-2-7-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32441 – WordPress Zoho Campaigns plugin <= 2.0.7 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-32441
12 Apr 2024 — Cross-Site Request Forgery (CSRF) vulnerability in Zoho Campaigns.This issue affects Zoho Campaigns: from n/a through 2.0.7. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Zoho Campaigns. Este problema afecta a Zoho Campaigns: desde n/a hasta 2.0.7. The Zoho Campaigns plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the zcwc_optin_save function. • https://patchstack.com/database/vulnerability/zoho-campaigns/wordpress-zoho-campaigns-plugin-2-0-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •