What the vulnerability does
01Description
The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aio_time_clock_lite_js' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber access and above, to clock other users in and out.
Explanation of Vulnerability in Simple Terms
02Summary
A low-privilege user can modify data in the All in One Time Clock Lite plugin through a network request without user interaction. The vulnerability affects versions 2.0 and earlier. An attacker with a low-level account (such as an employee) can alter information, though the impact is limited to data integrity. Update to a version newer than 2.0 when available.
What an attacker can do
03Attacker Capabilities
Modify plugin data via network request with a low-privilege account.
Potential impact on your site
04Site Impact
Low-privilege users can alter time clock or employee tracking data without authorization.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site; no user interaction required.
Key dates
06Disclosure timeline
October 22, 2025
CVE published
April 8, 2026
Record updated