CVE-2024-9593
Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Unauthenticated (Limited) Remote Code Execution
CVSS Score
8.3
EPSS Score
0.0%
EPSS Percentile
0th
The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.
| CWE | CWE-94 |
| Vendor | scott paterson |
| Product | time clock pro |
| Published | Oct 18, 2024 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for scott paterson time clock pro
Be the first to know when new high vulnerabilities affecting scott paterson time clock pro are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
Scott Paterson / Time Clock Pro
0 ≤ 1.1.4
scottpaterson / Time Clock – A WordPress Employee & Volunteer Time Clock Plugin
0 ≤ 1.2.2
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/247e599a-74e2-41d5-a1ba-978a807e6544?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/time-clock/tags/1.2.2/includes/admin/ajax_functions_admin.php#L58 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3171046/time-clock#file40
Credits
István Márton