CVE-2025-11758

EPSS 0.1%
Veröffentlicht 04.11.2025 04:27:15
Zuletzt bearbeitet 04.11.2025 15:40:45
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0.3 - Missing Authorization to Page Creation and Information Exposure

The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due  to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for  unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules).

Mögliche Gegenmaßnahme

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier: Update to version 2.0.4, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier

Version *-2.0.3

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellercodebangers

≫

Produkt All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier

Default Statusunaffected

Version <= 2.0.3

Version *

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.269

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/28246279-ecd8-4731-a4cc-64a3a4167323?source=cve

https://plugins.trac.wordpress.org/browser/aio-time-clock-lite/tags/2.0.1/aio-time-clock-lite-actions.php#L26

https://plugins.trac.wordpress.org/browser/aio-time-clock-lite/tags/2.0.1/aio-time-clock-lite-actions.php#L442

https://plugins.trac.wordpress.org/browser/aio-time-clock-lite/tags/2.0.1/aio-time-clock-lite-actions.php#L1447

https://www.wordfence.com/threat-intel/vulnerabilities/id/28246279-ecd8-4731-a4cc-64a3a4167323

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-11758

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-11758

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-11758

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-11758