WP-Safety

Clockinator Lite Security & Risk Analysis

wordpress.org/plugins/clockify-lite

Clockinator Lite is a powerful and easy-to-use employee and attendance management plugin for WordPress.

100 active installs v1.0.9 PHP 7.0+ WP 5.0+ Updated Mar 28, 2026
attendance-managementemployee-managementhr-managementleave-managementshift-management
79
B · Generally Safe
CVEs total1
Unpatched1
Last CVEApr 1, 2025
Plugin page Download
Safety Verdict

Is Clockinator Lite Safe to Use in 2026?

Mostly Safe

Score 79/100

Clockinator Lite is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Apr 1, 2025Updated 1mo ago
Risk Assessment

The clockify-lite v1.0.8 plugin presents a mixed security posture. On the positive side, it demonstrates good practices in output escaping, with 96% of outputs properly escaped, and a high percentage (81%) of SQL queries utilizing prepared statements. It also shows a good number of nonce checks (41).

However, significant concerns arise from the extensive attack surface, particularly the 92 AJAX handlers that lack authentication checks. This represents a substantial risk, as any unauthenticated user could potentially trigger these handlers. The presence of 2 flows with unsanitized paths identified by taint analysis, even if rated as high severity rather than critical, indicates potential for injection vulnerabilities. The use of the `unserialize` function, a known vector for remote code execution if used with untrusted input, is also a concern.

The plugin's vulnerability history, with one medium severity CVE and a pattern of missing authorization, reinforces the concerns about its authentication and authorization mechanisms. While the last vulnerability was in the past, the nature of past issues (missing authorization) aligns with the static analysis findings of numerous unprotected AJAX handlers. Overall, while some good security practices are evident, the high number of unprotected AJAX endpoints, taint analysis findings, and historical vulnerability patterns create significant security risks that require immediate attention.

Key Concerns

  • Numerous unprotected AJAX handlers
  • Taint analysis: 2 high severity flows
  • Vulnerability history: 1 medium unpatched CVE
  • Dangerous function: unserialize
  • Capability checks: 0
  • Bundled library: DataTables (potential for known vulns if outdated)
Vulnerabilities
1 published

Clockinator Lite Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-31777medium · 5.3Missing Authorization

Clockinator Lite <= 1.0.7 - Missing Authorization

Apr 1, 2025Unpatched
Version History

Clockinator Lite Release Timeline

v1.0.9Current1 CVE
CVE-2025-31777
v1.0.81 CVE
CVE-2025-31777
v1.0.71 CVE
CVE-2025-31777
v1.0.61 CVE
CVE-2025-31777
v1.0.51 CVE
CVE-2025-31777
v1.0.41 CVE
CVE-2025-31777
v1.0.31 CVE
CVE-2025-31777
v1.0.21 CVE
CVE-2025-31777
v1.0.11 CVE
CVE-2025-31777
v1.01 CVE
CVE-2025-31777
Code Analysis
Analyzed Mar 16, 2026

Clockinator Lite Code Analysis

Dangerous Functions
21
Raw SQL Queries
20
85 prepared
Unescaped Output
31
809 escaped
Nonce Checks
41
Capability Checks
0
File Operations
0
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$extra = unserialize( BTCLite_Helper::btclite_verify_value( $data->extra ) );admin\inc\actions\clock-employees-actions.php:234
unserialize$bank = unserialize( BTCLite_Helper::btclite_verify_value( $data->bank ) );admin\inc\actions\clock-employees-actions.php:235
unserialize$breaks_data = ! empty( $reports_data->breaks ) ? unserialize( $reports_data->breaks ) : '';admin\inc\actions\clock-reports-actions.php:170
unserialize$feedback = unserialize( $targetd->feedback );admin\inc\actions\clock-target-actions.php:180
unserialize$employer_extra = unserialize( BTCLite_Helper::btclite_verify_value( $users->extra ) );admin\inc\controllers\clock-employees-panel.php:659
unserialize$feedback = unserialize( $target->feedback );admin\inc\helpers\clock-helper.php:541
unserialize$feedback = unserialize( $target->feedback );admin\inc\helpers\clock-helper.php:553
unserialize$breaks_data = unserialize( $report->breaks );admin\inc\helpers\clock-helper.php:1011
unserialize$breaks_data = ! empty( $report->breaks ) ? unserialize( $report->breaks ) : '';admin\inc\helpers\clock-helper.php:1193
unserialize$breaks_data = unserialize( $report->breaks );admin\inc\helpers\clock-helper.php:1236
unserialize$extra = unserialize( $extra );admin\inc\helpers\clock-helper.php:1282
unserialize$request = unserialize( $request['body'] );admin\inc\helpers\clock-helper.php:1312
unserialize$breaks_data = ! empty( $report->breaks ) ? unserialize( $report->breaks ) : '';admin\inc\helpers\clock-helper.php:1356
unserialize$feedback = unserialize( $target->feedback );admin\inc\views\target\target.php:11
unserialize$breaks_data = unserialize( $breaks );public\inc\actions\clock-btn-actions.php:146
unserialize$breaks_data = unserialize( $breaks_data );public\inc\actions\clock-btn-actions.php:202
unserialize$employer_extra = unserialize( BTCLite_Helper::btclite_verify_value( $employer_data->extra ) );public\inc\actions\clock-profile-actions.php:21
unserialize$breaks_data = ! empty( $reports_data->breaks ) ? unserialize( $reports_data->breaks ) : '';public\inc\actions\clock-reports-actions.php:161
unserialize$employer_extra = unserialize( BTCLite_Helper::btclite_verify_value( $employer_data->extra ) );public\inc\views\clock-profile.php:6
unserialize$employer_bank = unserialize( BTCLite_Helper::btclite_verify_value( $employer_data->bank ) );public\inc\views\clock-profile.php:7
unserialize$feedback = unserialize( $target->feedback );public\inc\views\targets\target.php:11

Bundled Libraries

DataTables

SQL Query Safety

81% prepared105 total queries

Output Escaping

96% escaped840 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

25 flows2 with unsanitized paths
btclite_edit_departments (admin\inc\actions\clock-department-actions.php:45)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
92 unprotected

Clockinator Lite Attack Surface

Entry Points102
Unprotected92

AJAX Handlers 92

authwp_ajax_btcl-settingsadmin\admin.php:25
authwp_ajax_btcl-strings-optionsadmin\admin.php:28
noprivwp_ajax_btcl_save_shiftsadmin\admin.php:33
authwp_ajax_btcl_save_shiftsadmin\admin.php:34
noprivwp_ajax_btcl_edit_shiftsadmin\admin.php:37
authwp_ajax_btcl_edit_shiftsadmin\admin.php:38
noprivwp_ajax_btcl_delete_shiftsadmin\admin.php:41
authwp_ajax_btcl_delete_shiftsadmin\admin.php:42
noprivwp_ajax_btcl_update_shiftsadmin\admin.php:45
authwp_ajax_btcl_update_shiftsadmin\admin.php:46
noprivwp_ajax_btcl_save_departmentsadmin\admin.php:51
authwp_ajax_btcl_save_departmentsadmin\admin.php:52
noprivwp_ajax_btcl_edit_departmentsadmin\admin.php:55
authwp_ajax_btcl_edit_departmentsadmin\admin.php:56
noprivwp_ajax_btcl_delete_departmentsadmin\admin.php:59
authwp_ajax_btcl_delete_departmentsadmin\admin.php:60
noprivwp_ajax_btcl_update_departmentsadmin\admin.php:63
authwp_ajax_btcl_update_departmentsadmin\admin.php:64
noprivwp_ajax_btcl_fetch_employeesadmin\admin.php:69
authwp_ajax_btcl_fetch_employeesadmin\admin.php:70
noprivwp_ajax_btcl_save_employeesadmin\admin.php:73
authwp_ajax_btcl_save_employeesadmin\admin.php:74
noprivwp_ajax_btcl_edit_employeesadmin\admin.php:77
authwp_ajax_btcl_edit_employeesadmin\admin.php:78
noprivwp_ajax_btcl_update_employeesadmin\admin.php:81
authwp_ajax_btcl_update_employeesadmin\admin.php:82
noprivwp_ajax_btcl_delete_employeesadmin\admin.php:85
authwp_ajax_btcl_delete_employeesadmin\admin.php:86
noprivwp_ajax_btcl_save_holidaysadmin\admin.php:91
authwp_ajax_btcl_save_holidaysadmin\admin.php:92
noprivwp_ajax_btcl_edit_holidaysadmin\admin.php:95
authwp_ajax_btcl_edit_holidaysadmin\admin.php:96
noprivwp_ajax_btcl_delete_holidaysadmin\admin.php:99
authwp_ajax_btcl_delete_holidaysadmin\admin.php:100
noprivwp_ajax_btcl_update_holidaysadmin\admin.php:103
authwp_ajax_btcl_update_holidaysadmin\admin.php:104
noprivwp_ajax_btcl_edit_requestsadmin\admin.php:109
authwp_ajax_btcl_edit_requestsadmin\admin.php:110
noprivwp_ajax_btcl_update_requestsadmin\admin.php:113
authwp_ajax_btcl_update_requestsadmin\admin.php:114
noprivwp_ajax_btcl_save_eventsadmin\admin.php:119
authwp_ajax_btcl_save_eventsadmin\admin.php:120
noprivwp_ajax_btcl_edit_eventsadmin\admin.php:123
authwp_ajax_btcl_edit_eventsadmin\admin.php:124
noprivwp_ajax_btcl_update_eventsadmin\admin.php:127
authwp_ajax_btcl_update_eventsadmin\admin.php:128
noprivwp_ajax_btcl_delete_eventsadmin\admin.php:131
authwp_ajax_btcl_delete_eventsadmin\admin.php:132
noprivwp_ajax_btcl_generate_staff_reportadmin\admin.php:137
authwp_ajax_btcl_generate_staff_reportadmin\admin.php:138
noprivwp_ajax_btcl_edit_reportsadmin\admin.php:141
authwp_ajax_btcl_edit_reportsadmin\admin.php:142
noprivwp_ajax_btcl_fetch_clock_reportsadmin\admin.php:145
authwp_ajax_btcl_fetch_clock_reportsadmin\admin.php:146
noprivwp_ajax_btcl_update_fetch_reportsadmin\admin.php:149
authwp_ajax_btcl_update_fetch_reportsadmin\admin.php:150
noprivwp_ajax_btcl_delete_all_entriesadmin\admin.php:155
authwp_ajax_btcl_delete_all_entriesadmin\admin.php:156
noprivwp_ajax_btcl_save_targetsadmin\admin.php:161
authwp_ajax_btcl_save_targetsadmin\admin.php:162
noprivwp_ajax_btcl_edit_targetsadmin\admin.php:165
authwp_ajax_btcl_edit_targetsadmin\admin.php:166
noprivwp_ajax_btcl_add_trecordsadmin\admin.php:169
authwp_ajax_btcl_add_trecordsadmin\admin.php:170
noprivwp_ajax_btcl_delete_detailsadmin\admin.php:173
authwp_ajax_btcl_delete_detailsadmin\admin.php:174
noprivwp_ajax_btcl_save_leavespublic\public.php:39
authwp_ajax_btcl_save_leavespublic\public.php:40
noprivwp_ajax_btcl_edit_leavespublic\public.php:43
authwp_ajax_btcl_edit_leavespublic\public.php:44
noprivwp_ajax_btcl_delete_leavespublic\public.php:47
authwp_ajax_btcl_delete_leavespublic\public.php:48
noprivwp_ajax_btcl_update_leavespublic\public.php:51
authwp_ajax_btcl_update_leavespublic\public.php:52
noprivwp_ajax_btcl_clock_inpublic\public.php:57
authwp_ajax_btcl_clock_inpublic\public.php:58
noprivwp_ajax_btcl_clock_outpublic\public.php:61
authwp_ajax_btcl_clock_outpublic\public.php:62
noprivwp_ajax_btcl_break_inpublic\public.php:65
authwp_ajax_btcl_break_inpublic\public.php:66
noprivwp_ajax_btcl_break_outpublic\public.php:69
authwp_ajax_btcl_break_outpublic\public.php:70
noprivwp_ajax_btcl_submit_reportpublic\public.php:73
authwp_ajax_btcl_submit_reportpublic\public.php:74
noprivwp_ajax_btcl_generate_staff_reportspublic\public.php:79
authwp_ajax_btcl_generate_staff_reportspublic\public.php:80
noprivwp_ajax_btcl_edit_staff_reportspublic\public.php:83
authwp_ajax_btcl_edit_staff_reportspublic\public.php:84
noprivwp_ajax_btcl_save_profilepublic\public.php:89
authwp_ajax_btcl_save_profilepublic\public.php:90
noprivwp_ajax_btcl_fetch_target_detailspublic\public.php:96
authwp_ajax_btcl_fetch_target_detailspublic\public.php:97

Shortcodes 10

[btcl-dashboard] public\public.php:19
[btcl-last-day-wotking-hours] public\public.php:22
[btcl-total-attendance] public\public.php:23
[btcl-total-absents] public\public.php:24
[btcl-clockin-buttons] public\public.php:25
[btcl-attendance-reports] public\public.php:26
[btcl-leave-requests] public\public.php:27
[btcl-holiday-list] public\public.php:28
[btcl-upcoming-holidays] public\public.php:29
[btcl-upcoming-events] public\public.php:30
WordPress Hooks 8
actionadmin_menuadmin\admin.php:19
actioninitadmin\admin.php:22
actionadmin_noticesadmin\clock-admin-notice.php:19
actionadmin_enqueue_scriptsadmin\clock-admin-notice.php:25
actionplugins_loadedpublic\public.php:13
actionwp_enqueue_scriptspublic\public.php:16
filtertheme_page_templatespublic\public.php:33
filterpage_templatepublic\public.php:34
Maintenance & Trust

Clockinator Lite Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 28, 2026
PHP min version7.0
Downloads7K

Community Trust

Rating100/100
Number of ratings2
Active installs100
Alternatives

Clockinator Lite Alternatives

HR Management Lite

HR Management Lite

hr-management-lite

C
56

HR Plugin for WordPress to Manage the HR works and the Projects.

300 2 unpatched
Employee Management System

Employee Management System

employee-management-system

A
92

A comprehensive employee management system with sales tracking, reporting, and dashboard features for WordPress.

10 No CVEs
School Management System – WPSchoolPress

School Management System – WPSchoolPress

wpschoolpress

C
60

An extensive plugin for school management with features like attendance, class management, time table, exams, grades, student-teacher-parent notificat &hellip;

2K 1 unpatched
VikAppointments Services Booking Calendar

VikAppointments Services Booking Calendar

vikappointments

A
99

A reliable tool for managing any kind of appointments, scheduling the bookings of various services, and organizing the calendars of several employees.

500 1 CVE
Clock In Portal- Staff & Attendance Management

Clock In Portal- Staff & Attendance Management

clock-in-portal

D
48

Track the attendance of all registered employees with clock in or out system

300 3 unpatched
Developer Profile

Clockinator Lite Developer Profile

BeastThemes

3 plugins · 180 total installs

86
trust score
Avg Security Score
88/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Clockinator Lite

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/clockify-lite/admin/css/clock-admin-notice.css

HTML / DOM Fingerprints

CSS Classes
btcl-noticebtcl-notice__contentbtcl-notice__actionsbtcl-button
JS Globals
BTCLite_PLUGIN_URLBTCLite_PLUGIN_DIR_PATHBTCLite_PLUGIN_BASENAMEBTCLite_PLUGIN_FILE
FAQ

Frequently Asked Questions about Clockinator Lite