Unauthorized Access Vulnerability in All in One Time Clock Lite for WordPress
CVE-2025-11758

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: All In One Time Clock Lite – Tracking Employee Time Has Never Been Easier
Vendor: CVE Published:; 4 November 2025

What is CVE-2025-11758?

The All in One Time Clock Lite plugin for WordPress contains a security flaw that permits unauthorized access to administrative functions. This vulnerability arises from a lack of comprehensive authorization checks in all versions up to and including 2.0.3, exposing sensitive AJAX actions to unauthenticated users. Attackers can exploit this weakness to create published pages, manipulate shift records that could lead to integrity issues, and access time reports with personally identifiable information (PII) such as employee names and work schedules. The reliance solely on nonce checks without proper capability checks significantly increases the risk posed by this vulnerability.

Affected Version(s)

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier * <= 2.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/aio-time-clock...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 4, 2025
Vulnerability Reserved
Oct 14, 2025

Credit

Athiwat Tiprasaharn

JSON