CVE-2025-11758
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-04

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-04
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-11-04
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11758
EUVD
EUVD-2025-37597
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress all_in_one_time_clock_lite 2.0.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the All in One Time Clock Lite WordPress plugin allows unauthorized users to access admin-level AJAX actions without proper authorization checks. This happens because the plugin exposes these actions to unauthenticated users via wp_ajax_nopriv_ hooks and only uses a nonce check without verifying user capabilities. As a result, attackers can perform actions such as creating published pages, creating shift records with integrity issues, and downloading time reports containing personally identifiable information (PII).

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to manipulate your WordPress site through the All in One Time Clock Lite plugin. They can create published pages without permission, generate inaccurate or tampered shift records, and access sensitive time reports that include employee names and work schedules. This can lead to data integrity issues and exposure of confidential employee information.

Compliance Impact

This vulnerability can negatively affect compliance with standards like GDPR and HIPAA because it allows unauthorized access to personally identifiable information (PII) such as employee names and work schedules. Exposure of such sensitive data without proper authorization can lead to violations of data protection and privacy regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11758. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart