cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches fortime-clock time-clock

Direction: ascending
Oct 20, 2024

Time Clock – A WordPress Employee & Volunteer Time Clock Plugin # CVE-2024-9593

CVE, Research URL

CVE-2024-9593

Home page URL

Security reports for Time Clock – A WordPress Employee & Volunteer Time Clock Plugin

Application

Time Clock – A WordPress Employee & Volunteer Time Clock Plugin

Date
Oct 18, 2024
Research Description
The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.
Affected versions
max 1.2.3.
Status
vulnerable
May 09, 2025

Time Clock – A WordPress Employee & Volunteer Time Clock Plugin # CVE-2025-47516

CVE, Research URL

CVE-2025-47516

Home page URL

Security reports for Time Clock – A WordPress Employee & Volunteer Time Clock Plugin

Application

Time Clock – A WordPress Employee & Volunteer Time Clock Plugin

Date
May 07, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Paterson Time Clock allows Stored XSS. This issue affects Time Clock: from n/a through 1.2.3.
Affected versions
max 1.3.
Status
vulnerable
Nov 10, 2025

Time Clock – A WordPress Employee & Volunteer Time Clock Plugin # CVE-2025-10701

CVE, Research URL

CVE-2025-10701

Home page URL

Security reports for Time Clock – A WordPress Employee & Volunteer Time Clock Plugin

Application

Time Clock – A WordPress Employee & Volunteer Time Clock Plugin

Date
Oct 24, 2025
Research Description
The Time Clock – A WordPress Employee & Volunteer Time Clock Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data' parameter in all versions up to, and including, 1.3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with Time Clock user credentials to inject arbitrary web scripts in pages that will execute whenever a user accesses an affected page.
Affected versions
max 1.3.2.
Status
vulnerable