All in One Time Clock Lite Missing Authorization Vulnerability

A vulnerability exists in the All in One Time Clock Lite plugin for WordPress, affecting all versions up to and including 2.0.3. The issue arises from a missing authorization check, which exposes admin-level AJAX actions to unauthenticated users. The plugin relies solely on a nonce check without proper capability checks. This vulnerability allows unauthenticated attackers to create published pages, generate shift records with integrity issues, and access time reports containing personal information, such as employee names and work schedules.

Impact

Exploitation of this vulnerability could lead to unauthorized page creation, integrity issues in shift records, and exposure of personal information through downloaded time reports.

Reproduction

The vulnerability can be reproduced by sending a request to the WordPress site with the 'action' parameter set to 'aio_time_clock_lite_admin_js' or 'aio_time_clock_lite_js'. These actions are handled by the plugin but do not require authentication, allowing unauthenticated users to access them.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.