CVE-2025-11758
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-04

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-04
Last Modified
2026-04-08
Generated
2026-05-07
AI Q&A
2025-11-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-11758
EUVD
EUVD-2025-37597
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress all_in_one_time_clock_lite 2.0.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in the All in One Time Clock Lite WordPress plugin allows unauthorized users to access admin-level AJAX actions without proper authorization checks. This happens because the plugin exposes these actions to unauthenticated users via wp_ajax_nopriv_ hooks and only uses a nonce check without verifying user capabilities. As a result, attackers can perform actions such as creating published pages, creating shift records with integrity issues, and downloading time reports containing personally identifiable information (PII).


How can this vulnerability impact me? :

This vulnerability can impact you by allowing unauthenticated attackers to manipulate your WordPress site through the All in One Time Clock Lite plugin. They can create published pages without permission, generate inaccurate or tampered shift records, and access sensitive time reports that include employee names and work schedules. This can lead to data integrity issues and exposure of confidential employee information.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability can negatively affect compliance with standards like GDPR and HIPAA because it allows unauthorized access to personally identifiable information (PII) such as employee names and work schedules. Exposure of such sensitive data without proper authorization can lead to violations of data protection and privacy regulations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart