Description
The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aio_time_clock_lite_js' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber access and above, to clock other users in and out.
Published: 2025-10-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Allows authenticated users to clock other employees in and out, undermining timekeeping integrity.
Action: Apply Patch
AI Analysis

Impact

The All in One Time Clock Lite WordPress plugin is vulnerable because the AJAX action 'aio_time_clock_lite_js' accepts a user‑controlled key without verifying that the caller owns the referenced clock record. The bug is an insecure direct object reference, classified as CWE‑639. Attackers who are logged in with a subscriber role or higher can submit arbitrary key values to cause the plugin to record in‑time or out‑time events on behalf of any other user. This lets an attacker create, modify or erase time entries, which can distort payroll calculations, time‑off tracking and compliance reporting.

Affected Systems

All versions of the plugin up to and including 2.0 are affected. The product vendor is Codebangers, and the affected application is the "All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier" WordPress plugin. No specific sub‑version details are given beyond the general cutoff at 2.0.

Risk and Exploitability

The CVSS score of 4.3 labels the vulnerability as moderate. The EPSS score is reported as less than 1 %, indicating a very low chance of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path requires an authenticated user with subscriber or higher permissions; the attacker simply crafts an AJAX request to 'aio_time_clock_lite_js' with a forged key to influence another user's clock‑in/out status. Because the problem stems from missing authorization checks, no network‑level or remote code execution is required.

Generated by OpenCVE AI on April 20, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of All in One Time Clock Lite (any release above 2.0) to resolve the missing validation.
  • Verify that only user roles with administrative authority can access the AJAX action; remove or restrict subscriber access in the plugin’s settings or via a custom role‑based filter.
  • If an immediate update is not possible, add a temporary configuration or custom plugin that blocks or logs access to the 'aio_time_clock_lite_js' action from non‑admin roles, and review and correct role permissions in your WordPress CMS.

Generated by OpenCVE AI on April 20, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Codebangers
Codebangers all In One Time Clock Lite
Wordpress
Wordpress wordpress
Vendors & Products Codebangers
Codebangers all In One Time Clock Lite
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
Description The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aio_time_clock_lite_js' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber access and above, to clock other users in and out.
Title All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Codebangers All In One Time Clock Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:16.399Z

Reserved: 2025-06-27T18:21:52.647Z

Link: CVE-2025-6833

cve-icon Vulnrichment

Updated: 2025-10-22T13:31:34.339Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T10:15:33.010

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:15:15Z

Weaknesses