CVE-2025-6833: 
WordPress vulnerability analysis and mitigation

The All in One Time Clock Lite WordPress plugin (versions up to 2.0) contains an Insecure Direct Object Reference vulnerability (CVE-2025-6833). The vulnerability was discovered by Jonas Benjamin Friedli and publicly disclosed on October 21, 2025. The issue exists in the 'aiotimeclocklitejs' AJAX action due to missing validation on a user-controlled key, affecting the time clock functionality of the plugin (NVD).

The vulnerability is classified as a CWE-639 (Authorization Bypass Through User-Controlled Key) with a CVSS v3.1 Base Score of 4.3 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), affecting only the user scope (S:U), with no impact on confidentiality (C:N), low impact on integrity (I:L), and no impact on availability (A:N) (NVD).

The vulnerability allows authenticated attackers with subscriber-level access or higher to manipulate the time clock system by clocking other users in and out of their shifts without proper authorization (NVD).

The vulnerability has been patched in version 2.0.1 of the All in One Time Clock Lite plugin. Users are advised to update to this latest version which includes security fixes and toast error corrections (WordPress Plugin).