CVE-2025-6833 MEDIUM

CVE-2025-6833: All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out

Vendor Codebangers
Product All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier
Weakness CWE-639 · IDOR
Published October 22, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aio_time_clock_lite_js' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber access and above, to clock other users in and out.

Explanation of Vulnerability in Simple Terms

02Summary

A low-privilege user can modify data in the All in One Time Clock Lite plugin through a network request without user interaction. The vulnerability affects versions 2.0 and earlier. An attacker with a low-level account (such as an employee) can alter information, though the impact is limited to data integrity. Update to a version newer than 2.0 when available.

What an attacker can do

03Attacker Capabilities

Modify plugin data via network request with a low-privilege account.

Potential impact on your site

04Site Impact

Low-privilege users can alter time clock or employee tracking data without authorization.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

October 22, 2025 CVE published
April 8, 2026 Record updated