Primary

Context

All in One Time Clock Lite WordPress Plugin Insecure Direct Object Reference Vulnerability

Vulnerability

Patched

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the All in One Time Clock Lite WordPress plugin, in versions through 2.0. This vulnerability arises from inadequate validation of user-controlled keys in the 'aio_time_clock_lite_js' AJAX action. As a result, authenticated attackers with subscriber access or higher can manipulate the clock-in and clock-out times of other users.

Impact

Exploitation of this vulnerability allows authenticated users to arbitrarily clock other users in and out, potentially leading to unauthorized time tracking changes.

Remediation

Users are advised to update the All in One Time Clock Lite WordPress plugin to version 2.0.1 or a newer patched version.

Added: Oct 22, 2025, 10:18 AM

Updated: Oct 22, 2025, 10:18 AM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

6.1

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

6.1

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

All in One Time Clock Lite WordPress Plugin Insecure Direct Object Reference Vulnerability

Vulnerability

Impact

Remediation

Affected Products

All in One Time Clock Lite

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating