{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6833", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-27T18:21:52.647Z", "datePublished": "2025-10-22T09:24:37.989Z", "dateUpdated": "2026-04-08T17:21:16.399Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:16.399Z"}, "affected": [{"vendor": "codebangers", "product": "All in One Time Clock Lite \u2013 Tracking Employee Time Has Never Been Easier", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The All in One Time Clock Lite \u2013 Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aio_time_clock_lite_js' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber access and above, to clock other users in and out."}], "title": "All in One Time Clock Lite \u2013 Tracking Employee Time Has Never Been Easier <= 2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6c48173-ffe3-40f8-a2fa-cee66869e343?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3336943%40aio-time-clock-lite&new=3336943%40aio-time-clock-lite&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-21T21:09:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-22T13:31:07.115369Z", "id": "CVE-2025-6833", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T13:35:53.370Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6833", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-22T13:31:07.115369Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T13:31:34.339Z"}}], "cna": {"title": "All in One Time Clock Lite \u2013 Tracking Employee Time Has Never Been Easier <= 2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "codebangers", "product": "All in One Time Clock Lite \u2013 Tracking Employee Time Has Never Been Easier", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-21T21:09:38.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6c48173-ffe3-40f8-a2fa-cee66869e343?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3336943%40aio-time-clock-lite&new=3336943%40aio-time-clock-lite&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The All in One Time Clock Lite \u2013 Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aio_time_clock_lite_js' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber access and above, to clock other users in and out."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:16.399Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6833", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:16.399Z", "dateReserved": "2025-06-27T18:21:52.647Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-22T09:24:37.989Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The All in One Time Clock Lite \u2013 Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aio_time_clock_lite_js' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber access and above, to clock other users in and out."}], "id": "CVE-2025-6833", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-22T10:15:33.010", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3336943%40aio-time-clock-lite&new=3336943%40aio-time-clock-lite&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6c48173-ffe3-40f8-a2fa-cee66869e343?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:08:56.706887+00:00", "value": {"mitigation_remediation": ["Install the latest version of All in One Time Clock Lite (any release above 2.0) to resolve the missing validation.", "Verify that only user roles with administrative authority can access the AJAX action; remove or restrict subscriber access in the plugin\u2019s settings or via a custom role\u2011based filter.", "If an immediate update is not possible, add a temporary configuration or custom plugin that blocks or logs access to the 'aio_time_clock_lite_js' action from non\u2011admin roles, and review and correct role permissions in your WordPress CMS."], "summary": {"action": "Apply Patch", "impact": "Allows authenticated users to clock other employees in and out, undermining timekeeping integrity."}, "threat_synthesis": {"affected_systems": "All versions of the plugin up to and including 2.0 are affected. The product vendor is Codebangers, and the affected application is the \"All in One Time Clock Lite \u2013 Tracking Employee Time Has Never Been Easier\" WordPress plugin. No specific sub\u2011version details are given beyond the general cutoff at 2.0.", "description_and_impact": "The All in One Time Clock Lite WordPress plugin is vulnerable because the AJAX action 'aio_time_clock_lite_js' accepts a user\u2011controlled key without verifying that the caller owns the referenced clock record. The bug is an insecure direct object reference, classified as CWE\u2011639. Attackers who are logged in with a subscriber role or higher can submit arbitrary key values to cause the plugin to record in\u2011time or out\u2011time events on behalf of any other user. This lets an attacker create, modify or erase time entries, which can distort payroll calculations, time\u2011off tracking and compliance reporting.", "risk_and_exploitability": "The CVSS score of 4.3 labels the vulnerability as moderate. The EPSS score is reported as less than 1\u202f%, indicating a very low chance of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path requires an authenticated user with subscriber or higher permissions; the attacker simply crafts an AJAX request to 'aio_time_clock_lite_js' with a forged key to influence another user's clock\u2011in/out status. Because the problem stems from missing authorization checks, no network\u2011level or remote code execution is required."}}}}, "created": "2025-10-23T10:07:47.474909+00:00", "updated": "2026-04-20T19:15:15.047127+00:00", "vendors": ["codebangers", "codebangers$PRODUCT$all_in_one_time_clock_lite", "wordpress", "wordpress$PRODUCT$wordpress"]}