Reflected Cross-Site Scripting in All in One Time Clock Lite Plugin for WordPress
CVE-2025-6832

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: All In One Time Clock Lite – Tracking Employee Time Has Never Been Easier
Vendor: CVE Published:; 2 August 2025

What is CVE-2025-6832?

The All in One Time Clock Lite plugin for WordPress is susceptible to a reflected cross-site scripting vulnerability. This flaw arises from inadequate sanitization of the 'nonce' parameter, affecting all versions up to and including 2.0. Attackers can exploit this vulnerability by crafting malicious links that, when clicked by users, can execute arbitrary scripts on their browsers, leading to potential data theft and unauthorized actions.

Affected Version(s)

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier * <= 2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 2, 2025
Vulnerability Reserved
Jun 27, 2025

Credit

Jonas Benjamin Friedli