Description
The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-08-02
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting via the 'nonce' parameter
Action: Patch Immediately
AI Analysis

Impact

The All in One Time Clock Lite plugin for WordPress contains a reflected cross‑site scripting flaw that is triggered through the 'nonce' parameter. An attacker can insert malicious scripts that are reflected in the response when a specially crafted URL is accessed. Because the parameters are not properly sanitized or escaped, the injected code can run in the browsers of any user who follows the link, potentially exposing sensitive data, hijacking sessions, or injecting further malicious content.

Affected Systems

All versions of the All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin, distributed by codebangers, up to and including 2.0 are affected. The plugin is distributed for WordPress sites and may be installed on any WordPress installation that uses these plugin versions.

Risk and Exploitability

The vulnerability receives a CVSS score of 6.1, indicating moderate severity. The EPSS score is below 1 %, reflecting a very low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog, suggesting no known active exploitation. Attackers would need to craft a URL with a malicious nonce value and convince an unauthenticated user to click it. If successful, the reflected script runs in the victim’s browser, leading to potential data theft, session hijacking, or defacement. The risk is moderate but still warrants timely remediation.

Generated by OpenCVE AI on April 21, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the All in One Time Clock Lite plugin to the latest available version (greater than 2.0) to eliminate the reflected XSS vulnerability.
  • If upgrading is not immediately possible, configure a web application firewall to block or sanitize the 'nonce' parameter so that non‑numeric or script payloads are rejected.
  • As a temporary measure, disable the All in One Time Clock Lite plugin until a patched version is released by the vendor.

Generated by OpenCVE AI on April 21, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23429 The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Tue, 05 Aug 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Codebangers
Codebangers all In One Time Clock Lite
Wordpress
Wordpress wordpress
Vendors & Products Codebangers
Codebangers all In One Time Clock Lite
Wordpress
Wordpress wordpress

Mon, 04 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 02 Aug 2025 08:45:00 +0000

Type Values Removed Values Added
Description The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Codebangers All In One Time Clock Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:21.783Z

Reserved: 2025-06-27T18:17:51.215Z

Link: CVE-2025-6832

cve-icon Vulnrichment

Updated: 2025-08-04T13:43:08.357Z

cve-icon NVD

Status : Deferred

Published: 2025-08-02T09:15:26.757

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses