CVE-2025-11758 MEDIUM

CVE-2025-11758: All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0.3 - Missing Authorization to Page Creation and Information Exposure

Vendor Codebangers
Product All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier
Weakness CWE-862 · Missing authorization
Published November 4, 2025
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules).

Explanation of Vulnerability in Simple Terms

02Summary

The All in One Time Clock Lite plugin for WordPress contains a missing authorization flaw that allows unauthenticated attackers to read and modify sensitive employee time tracking data. No user interaction is required. Attackers can access employee records and time clock information without logging in. Update to a version newer than 2.0.3.

What an attacker can do

03Attacker Capabilities

Read and modify employee time tracking data without logging in.

Potential impact on your site

04Site Impact

Employee time records and payroll data can be viewed or altered by anyone on the internet.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 4, 2025 CVE published
April 8, 2026 Record updated