The All in One Time Clock Lite WordPress plugin, widely used for tracking employee time, suffers from a missing authorization vulnerability (CWE-862) identified as CVE-2025-11758. The root cause is the exposure of admin-level AJAX endpoints to unauthenticated users via the wp_ajax_nopriv_ hooks, which are intended for non-logged-in users. The plugin attempts to protect these endpoints using nonce checks; however, it fails to verify user capabilities or roles, allowing attackers to bypass authorization controls completely. This flaw enables unauthenticated remote attackers to perform privileged actions such as creating published pages within the WordPress site, manipulating shift records that can compromise data integrity, and downloading time reports containing sensitive employee information including names and work schedules. The vulnerability affects all versions up to and including 2.0.3. The CVSS v3.1 base score is 6.5, reflecting medium severity, with attack vector network (remote), low attack complexity, no privileges required, and no user interaction needed. Although no public exploits are currently known, the potential for data leakage and unauthorized data manipulation is significant, especially for organizations relying on this plugin for workforce management. The lack of proper authorization checks in AJAX handlers is a common security oversight in WordPress plugins, emphasizing the need for capability verification alongside nonce validation.

The vulnerability allows unauthenticated attackers to access and manipulate sensitive employee time tracking data, leading to several impactful consequences. Confidentiality is compromised as attackers can download reports containing personally identifiable information (PII) such as employee names and work schedules, potentially violating privacy regulations like GDPR or HIPAA. Integrity is affected because attackers can create or alter shift records, which may disrupt payroll, attendance tracking, and operational planning. Additionally, the ability to create published pages could be leveraged for defacement, phishing, or further exploitation within the affected WordPress site. Although availability is not directly impacted, the operational disruption and reputational damage from data leakage and unauthorized content creation can be significant. Organizations using this plugin risk non-compliance with data protection laws, loss of employee trust, and potential financial penalties. The ease of exploitation without authentication or user interaction increases the threat level, making it accessible to a wide range of attackers including automated bots and opportunistic threat actors.

Immediate mitigation steps include disabling or uninstalling the All in One Time Clock Lite plugin until a secure patched version is released. Administrators should monitor their WordPress sites for unauthorized published pages and suspicious activity related to shift records and report downloads. Implementing a Web Application Firewall (WAF) with rules to block or restrict access to wp_ajax_nopriv_ endpoints associated with this plugin can reduce exposure. Site owners should audit all AJAX handlers in their plugins to ensure proper authorization checks beyond nonce validation, specifically verifying user capabilities or roles before processing requests. Once the vendor releases a patch, prompt updating to the fixed version is critical. Additionally, organizations should review access logs for signs of exploitation attempts and consider rotating any credentials or tokens that may have been compromised. Employing least privilege principles for WordPress user roles and regularly backing up data can help mitigate the impact of potential data manipulation. Finally, educating site administrators about secure plugin development and deployment practices can prevent similar vulnerabilities.