CVE-2025-7664: 
WordPress vulnerability analysis and mitigation

The AL Pack plugin for WordPress contains an unauthorized access vulnerability (CVE-2025-7664) discovered in versions up to and including 1.0.2. The vulnerability stems from a missing capability check in the checkactivatepermission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint (NVD).

The vulnerability occurs due to improper validation in the permission callback function. The callback only verifies if the Origin header matches trusted domains, without performing user authentication, capability checks, or nonce token validation. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Wordfence).

The vulnerability allows unauthenticated attackers to activate premium features by simply spoofing the Origin header. This could result in unauthorized access to premium functionality without proper payment or authorization (NVD).

The plugin has been temporarily closed as of August 14, 2025, pending a full security review. Users are advised to disable the plugin until a patched version is released (WordPress).