CVE-2025-11758

EPSS 0.23%
Veröffentlicht 04.11.2025 04:27:15
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0.3 - Missing Authorization to Page Creation and Information Exposure

The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due  to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for  unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules).

Mögliche Gegenmaßnahme

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier: Update to version 2.0.4, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellercodebangers

≫

Produkt All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier

Default Statusunaffected

Version <= 2.0.3

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier

Version *-2.0.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.13

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/28246279-ecd8-4731-a4cc-64a3a4167323?source=cve

https://plugins.trac.wordpress.org/browser/aio-time-clock-lite/tags/2.0.1/aio-time-clock-lite-actions.php#L26

https://plugins.trac.wordpress.org/browser/aio-time-clock-lite/tags/2.0.1/aio-time-clock-lite-actions.php#L442

https://plugins.trac.wordpress.org/browser/aio-time-clock-lite/tags/2.0.1/aio-time-clock-lite-actions.php#L1447

https://plugins.trac.wordpress.org/changeset/3388144/

https://www.wordfence.com/threat-intel/vulnerabilities/id/28246279-ecd8-4731-a4cc-64a3a4167323

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-11758

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-11758

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-11758

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-11758