cleantalk
Vulnerabilities and Security Researches

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier, CVE-2025-11758

CVE, Research URL

CVE-2025-11758

Home page URL

Security reports for All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier

Application

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier

Published on
Nov 04, 2025
Research Description
The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules).
Affected versions
max 2.0.4.
Status
vulnerable
Previous vulnerability researches
Playerzbr (CVE-2025-11825) , Nov 10, 2025
New vulnerability
Tutor LMS – eLearning and online course solution (CVE-2025-11564) , Nov 10, 2025
Product Addons & Fields for WooCommerce (CVE-2025-11391) , Nov 10, 2025
Product Addons & Fields for WooCommerce (CVE-2025-11691) , Nov 10, 2025
wpNamedUsers (CVE-2025-48083) , Nov 10, 2025
Colibri Page Builder (CVE-2025-9560) , Nov 10, 2025