CVE-2025-7664: 
WordPress vulnerability analysis and mitigation

The AL Pack plugin for WordPress contains a vulnerability (CVE-2025-7664) discovered on August 16, 2025, affecting all versions up to and including 1.0.2. The vulnerability stems from a missing capability check in the checkactivatepermission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint (NVD).

The vulnerability is characterized by a missing authorization check (CWE-862) in the REST API endpoint. The callback function processes the client-supplied Origin header and permits the request if it matches trusted domains, without performing proper user authentication, capability verification, or nonce token validation. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to activate premium features by simply spoofing the Origin header, potentially leading to unauthorized access to premium functionality without proper payment or authorization (NVD).

The vulnerability has been addressed in version 1.1.2 of the AL Pack plugin, which includes enhanced REST API permission checks, a multi-layer security verification system during activation, and improved security logging (WordPress Plugin).