WP-Safety

Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation Security & Risk Analysis

wordpress.org/plugins/zoho-flow

Integrate your WordPress plugins with your business applications and automate workflows between them. A single platform for all your integrations.

5K active installs v2.14.2 PHP 7.0.0+ WP 4.4+ Updated Sep 9, 2025
automationintegrationnotificationwebhookworkflow
96
A · Safe
CVEs total4
Unpatched0
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation Safe to Use in 2026?

Generally Safe

Score 96/100

Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Sep 22, 2025Updated 8mo ago
Risk Assessment

The Zoho Flow plugin v2.14.2 presents a mixed security posture. While it demonstrates good practices in certain areas, such as using prepared statements for all SQL queries and performing a decent number of capability checks, significant concerns remain. The static analysis reveals a notable attack surface with 8 AJAX handlers, and critically, 3 of these lack authentication checks. This, combined with 6 high-severity taint flows with unsanitized paths, points to potential vulnerabilities that could be exploited by unauthenticated users. The historical vulnerability data, featuring 4 medium-severity CVEs including CSRF, Missing Authorization, and SQL Injection, reinforces these concerns and suggests a recurring pattern of security weaknesses that need diligent attention. While the absence of currently unpatched CVEs is positive, the identified code signals and taint analysis warrant a cautious approach.

Key Concerns

  • AJAX handlers without auth checks
  • High severity taint flows
  • Medium severity historical CVEs (SQLi, Missing Auth, CSRF)
  • Unsanitized paths in taint flows
  • Low output escaping percentage
  • Dangerous function (unserialize)
Vulnerabilities
4 published

Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-59568medium · 4.3Cross-Site Request Forgery (CSRF)

Zoho Flow <= 2.14.1 - Cross-Site Request Forgery

Sep 22, 2025 Patched in 2.14.2 (5d)
CVE-2025-8479medium · 4.3Cross-Site Request Forgery (CSRF)

Zoho Flow <= 2.14.1 - Cross-Site Request Forgery

Sep 10, 2025 Patched in 2.14.2 (1d)
CVE-2025-31408medium · 4.3Missing Authorization

Zoho Flow <= 2.13.3 - Missing Authorization

Apr 1, 2025 Patched in 2.13.4 (10d)
CVE-2024-47334medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Zoho Flow for WordPress <= 2.8.0 - Authenticated (Administrator+) SQL Injection

Sep 26, 2024 Patched in 2.8.1 (8d)
Version History

Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation Release Timeline

v2.14.2Current
v2.14.12 CVEs
CVE-2025-59568 CVE-2025-8479
v2.14.02 CVEs
CVE-2025-59568 CVE-2025-8479
v2.13.42 CVEs
CVE-2025-59568 CVE-2025-8479
v2.13.33 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.13.23 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.13.13 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.13.03 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.12.13 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.12.03 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.11.13 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.11.03 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.10.13 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.10.03 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.9.13 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.9.03 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.8.13 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2025-31408
v2.8.04 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2024-47334 +1 more
v2.7.14 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2024-47334 +1 more
v2.7.04 CVEs
CVE-2025-59568 CVE-2025-8479 CVE-2024-47334 +1 more
Code Analysis
Analyzed Mar 16, 2026

Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation Code Analysis

Dangerous Functions
6
Raw SQL Queries
0
290 prepared
Unescaped Output
123
96 escaped
Nonce Checks
4
Capability Checks
20
File Operations
4
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize$post_content = unserialize($fieldgroup->post_content);integrations\advanced-custom-fields\advanced-custom-fields.php:268
unserializereturn rest_ensure_response( unserialize( $results[0]->value ) );integrations\fluent-booking\fluent-booking.php:118
unserialize$settings = unserialize( $results[0]->quiz_settings );integrations\quiz-and-survey-master\quiz-and-survey-master.php:107
unserialize$contact_form = unserialize( $settings['contact_form'] );integrations\quiz-and-survey-master\quiz-and-survey-master.php:109
unserialize"question_settings" => unserialize( $question->question_settings )integrations\tutor-lms\tutor-lms.php:205
unserialize"attempt_info" => unserialize( $results[0]->attempt_info )integrations\tutor-lms\tutor-lms.php:394

SQL Query Safety

100% prepared290 total queries

Output Escaping

44% escaped219 total outputs
Data Flows · Security
8 unsanitized

Data Flow Analysis

10 flows8 with unsanitized paths
zoho_flow_change_next_review_date (admin\admin.php:259)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation Attack Surface

Entry Points8
Unprotected3

AJAX Handlers 8

authwp_ajax_zoho_flow_ratedadmin\admin.php:66
authwp_ajax_zoho_flow_generate_api_keyadmin\admin.php:132
authwp_ajax_zoho_flow_remove_api_keyadmin\admin.php:172
authwp_ajax_zoho_flow_api_key_tableadmin\admin.php:182
authwp_ajax_zoho_flow_change_next_review_dateadmin\admin.php:265
authwp_ajax_zoho_flow_change_next_suggestion_dateadmin\admin.php:295
authwp_ajax_update_zf_boost_speedadmin\system-info.php:37
authwp_ajax_zoho_flow_deactivate_pluginsettings.php:144
WordPress Hooks 19
actionadmin_initadmin\admin.php:6
actionadmin_menuadmin\admin.php:12
filteradmin_footer_textadmin\admin.php:47
actionzoho-flow-review-noticeadmin\admin.php:256
actionadmin_noticesadmin\admin.php:257
actionzoho-flow-suggestion-noticeadmin\admin.php:283
actionadmin_noticesadmin\admin.php:284
actionadmin_noticesadmin\admin.php:297
actionwp_enqueue_scriptsadmin\system-info.php:15
filtermap_meta_capincludes\capabilities.php:7
actionzoho_flow_run_webhookincludes\utils.php:261
actionzoho_flow_rerun_after_5_minsincludes\utils.php:284
actionzoho_flow_rerun_after_10_minsincludes\utils.php:304
actionzoho_flow_rerun_after_30_minsincludes\utils.php:321
actionzoho_flow_rerun_after_60_minsincludes\utils.php:338
actionrest_api_initincludes\zoho-flow-services.php:59
actionplugins_loadedsettings.php:32
actioninitsettings.php:38
actionadmin_enqueue_scriptssettings.php:116

Scheduled Events 5

zoho_flow_run_webhook
zoho_flow_rerun_after_5_mins
zoho_flow_rerun_after_10_mins
zoho_flow_rerun_after_30_mins
zoho_flow_rerun_after_60_mins
Maintenance & Trust

Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 9, 2025
PHP min version7.0.0
Downloads100K

Community Trust

Rating100/100
Number of ratings13
Active installs5K
Alternatives

Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation Alternatives

Webhookify – Send Form Submissions to Webhooks

Webhookify – Send Form Submissions to Webhooks

webhookify-send-form-submissions-to-webhooks

A
100

Send form submissions from Contact Form 7, WPForms, Gravity Forms, Elementor Forms, and Formidable Forms to any webhook URL instantly.

100 No CVEs
EasyLink Automations

EasyLink Automations

easylink-automations

A
100

Advanced WordPress automation plugin — automate workflows, integrations, and tasks with a visual builder.

0 No CVEs
Zapier for WordPress

Zapier for WordPress

zapier

A
98

Zapier saves you time on tedious tasks by moving info between WordPress and your other favorite apps, so you can focus on your most important work.

50K 2 CVEs
GoPublish: Publish from Google Docs to Any Site

GoPublish: Publish from Google Docs to Any Site

gopublish-publish-from-google-docs-to-any-site

A
100

Publish directly from Google Docs™ to any website with SEO meta titles, descriptions, images, and format intact. Stop copy-pasting today!

70 No CVEs
Hooksure

Hooksure

hooksure

A
100

Hooksure allows you to map SureForms, form submissions to webhooks dynamically within your WordPress admin dashboard without needing the pro plugin.

60 No CVEs
Developer Profile

Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation Developer Profile

Zoho Flow

1 plugin · 5K total installs

97
trust score
Avg Security Score
96/100
Avg Patch Time
6 days
View full developer profile
Detection Fingerprints

How We Detect Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/zoho-flow/assets/css/zoho-flow-admin.css/wp-content/plugins/zoho-flow/assets/js/zoho-flow-admin.js/wp-content/plugins/zoho-flow/assets/js/zoho-flow-review-notice.js/wp-content/plugins/zoho-flow/assets/js/zoho-flow-suggestion-notice.js/wp-content/plugins/zoho-flow/assets/js/zoho-flow-system-info.js
Script Paths
../assets/js/zoho-flow-admin.js../assets/js/zoho-flow-review-notice.js../assets/js/zoho-flow-suggestion-notice.js../assets/js/zoho-flow-system-info.js

HTML / DOM Fingerprints

CSS Classes
zoho-flow-rating-link
Data Attributes
data-rated
JS Globals
i18n
FAQ

Frequently Asked Questions about Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation