The All in One Time Clock Lite WordPress plugin, widely used for tracking employee time, suffers from a missing authorization vulnerability (CWE-862) identified as CVE-2025-11758. This flaw exists in all versions up to and including 2.0.3 due to the plugin exposing administrative AJAX endpoints via wp_ajax_nopriv_ hooks, which are accessible to unauthenticated users. The plugin attempts to secure these endpoints using nonce checks; however, it fails to verify user capabilities or roles, allowing attackers to bypass authentication entirely. Exploiting this vulnerability enables an unauthenticated attacker to perform several unauthorized actions: creating published pages on the WordPress site, injecting or altering shift records that may compromise data integrity, and downloading time reports containing sensitive personally identifiable information (PII) such as employee names and work schedules. The vulnerability is remotely exploitable over the network without any user interaction or privileges, increasing its risk profile. Although no public exploits have been reported yet, the exposure of PII and administrative functions poses a significant risk to organizations relying on this plugin for workforce management. The CVSS 3.1 score of 6.5 reflects a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, and partial confidentiality and integrity impacts but no availability impact. The absence of a patch at the time of disclosure necessitates immediate attention from administrators to mitigate risk.

For European organizations, this vulnerability can lead to unauthorized disclosure of employee personal data, violating GDPR and other data protection regulations, potentially resulting in legal penalties and reputational damage. The integrity of employee time and shift records can be compromised, affecting payroll accuracy and operational planning. Unauthorized creation of published pages may lead to defacement or phishing content hosted on legitimate corporate domains, undermining trust. The ease of exploitation without authentication increases the likelihood of attacks, especially targeting small and medium enterprises that may not have rigorous plugin management processes. Organizations in sectors with strict labor compliance requirements, such as manufacturing, healthcare, and public administration, face heightened risks. The exposure of PII and operational data can also facilitate further targeted attacks or insider threats. Additionally, the lack of availability impact means attackers are unlikely to cause service outages, potentially allowing stealthy exploitation over extended periods.

Administrators should immediately audit their WordPress installations to identify if the All in One Time Clock Lite plugin (version 2.0.3 or earlier) is in use. Until an official patch is released, consider disabling or uninstalling the plugin to eliminate the attack surface. If disabling is not feasible, restrict access to the WordPress admin AJAX endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests to wp_ajax_nopriv_ hooks related to this plugin. Monitor web server and WordPress logs for unusual POST requests or creation of unexpected published pages and shift records. Enforce strict access controls and regularly review user roles and capabilities to minimize privilege escalation risks. Once a patch is available, apply it promptly and verify that authorization checks include capability validation in addition to nonce verification. Conduct employee training on phishing and social engineering risks that may arise from unauthorized content injection. Finally, ensure compliance with GDPR by reviewing data access and breach notification procedures in case of data exposure.