cleantalk
Vulnerabilities and Security Researches

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier, CVE-2025-11758

CVE, Research URL

CVE-2025-11758

Home page URL

Security reports for All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier

Application

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier

Published on
Nov 04, 2025
Research Description
The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules).
Affected versions
max 2.0.4.
Status
vulnerable
Previous vulnerability researches
One Click Accessibility (CVE-2025-32640) , Apr 10, 2025
One Click Accessibility (CVE-2025-10700) , Nov 10, 2025
New vulnerability
Disable Content Editor For Specific Template (CVE-2025-12072) , Nov 10, 2025
AnyComment (CVE-2025-48091) , Nov 10, 2025
AnyComment (CVE-2025-60240) , Nov 10, 2025
Memberlite Shortcodes (CVE-2025-48087) , Nov 10, 2025
Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One (CVE-2025-10567) , Nov 10, 2025