cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches foraio-time-clock-lite aio-time-clock-lite

Direction: ascending
Jun 07, 2024

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier # CVE-2022-44594

CVE, Research URL

CVE-2022-44594

Home page URL

Security reports for All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier

Application

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier

Date
Apr 23, 2023
Research Description
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Codebangers All in One Time Clock Lite plugin <= 1.3.320 versions.
Affected versions
max 1.3.321.
Status
vulnerable
Apr 26, 2025

All in One Time Clock Lite &#8211; Tracking Employee Time Has Never Been Easier # CVE-2025-46513

CVE, Research URL

CVE-2025-46513

Home page URL

Security reports for All in One Time Clock Lite &#8211; Tracking Employee Time Has Never Been Easier

Application

All in One Time Clock Lite &#8211; Tracking Employee Time Has Never Been Easier

Date
Apr 24, 2025
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in Codebangers All in One Time Clock Lite allows Cross Site Request Forgery. This issue affects All in One Time Clock Lite: from n/a through 1.3.324.
Affected versions
max 1.3.324.
Status
vulnerable
Aug 04, 2025

All in One Time Clock Lite &#8211; Tracking Employee Time Has Never Been Easier # CVE-2025-6832

CVE, Research URL

CVE-2025-6832

Home page URL

Security reports for All in One Time Clock Lite &#8211; Tracking Employee Time Has Never Been Easier

Application

All in One Time Clock Lite &#8211; Tracking Employee Time Has Never Been Easier

Date
Aug 02, 2025
Research Description
The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 2.0.1.
Status
vulnerable
Nov 10, 2025

All in One Time Clock Lite &#8211; Tracking Employee Time Has Never Been Easier # CVE-2025-11758

CVE, Research URL

CVE-2025-11758

Home page URL

Security reports for All in One Time Clock Lite &#8211; Tracking Employee Time Has Never Been Easier

Application

All in One Time Clock Lite &#8211; Tracking Employee Time Has Never Been Easier

Date
Nov 04, 2025
Research Description
The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules).
Affected versions
max 2.0.4.
Status
vulnerable