CVE-2025-11758

Name of the Vulnerable Software and Affected Versions All in One Time Clock Lite versions up to and including 2.0.3

Description The plugin exhibits unauthorized access due to a missing authorization check. Admin-level AJAX actions are exposed to unauthenticated users through wp ajax nopriv hooks, relying solely on a nonce check without capability checks. This allows attackers to create published pages, create shift records with integrity issues, and download time reports containing PII, such as employee names and work schedules.

Recommendations Update to a version beyond 2.0.3.