The All in One Time Clock Lite WordPress plugin (versions up to 2.0.3) suffers from a missing authorization vulnerability classified as CWE-862. The root cause is that admin-level AJAX actions are exposed to unauthenticated users through wp_ajax_nopriv_ hooks. While the plugin implements nonce checks to prevent CSRF, it fails to verify user capabilities or authentication status before allowing these AJAX endpoints to execute sensitive operations. This design flaw enables attackers without any credentials to perform privileged actions such as creating published pages, which could be used for defacement or phishing, and manipulating shift records, potentially corrupting employee time data. More critically, attackers can download time reports containing personally identifiable information (PII) like employee names and work schedules, leading to confidentiality breaches. The vulnerability is remotely exploitable over the network without requiring user interaction or authentication, increasing its attack surface. The CVSS 3.1 base score of 6.5 reflects a medium severity, primarily due to the confidentiality and integrity impacts, with no direct availability impact. No patches or fixes have been officially released at the time of publication, and no active exploits have been reported in the wild. The vulnerability was reserved on October 14, 2025, and published on November 4, 2025, by Wordfence. Organizations using this plugin should consider the risk of unauthorized data exposure and content manipulation inherent in this vulnerability.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive employee information, including names and work schedules, violating data protection regulations such as GDPR. The integrity of employee time records could be compromised, affecting payroll accuracy and operational trust. Unauthorized creation of published pages could facilitate phishing campaigns or defacement, damaging organizational reputation. Since the plugin is commonly used by small and medium-sized enterprises (SMEs) for workforce management, the impact could be widespread in sectors relying on WordPress for internal tools. Data breaches involving PII can result in regulatory fines, legal liabilities, and loss of employee trust. The lack of authentication requirement and network accessibility increase the likelihood of exploitation, especially in environments with publicly accessible WordPress installations. Although no known exploits exist yet, the vulnerability presents a significant risk if weaponized by attackers targeting European businesses.

Immediate mitigation involves restricting access to the vulnerable AJAX endpoints by implementing proper capability checks in the plugin code, ensuring only authenticated users with appropriate privileges can invoke sensitive actions. Administrators should monitor web server and WordPress logs for unusual AJAX requests, particularly those targeting wp_ajax_nopriv_ hooks related to the plugin. Until an official patch is released, consider disabling or uninstalling the plugin if feasible to eliminate exposure. Employ Web Application Firewalls (WAFs) with custom rules to block unauthorized AJAX requests targeting the plugin's endpoints. Conduct a thorough audit of published pages and shift records for unauthorized changes or suspicious entries. Educate site administrators on the risks of exposing admin-level functions to unauthenticated users and enforce strict plugin update policies. Finally, ensure backups of employee data and site content are current to enable recovery in case of compromise.