CVE-2025-7664 Overview
CVE-2025-7664 affects the AL Pack plugin for WordPress in all versions up to and including 1.1.1. The plugin exposes a REST API endpoint at /wp-json/presslearn/v1/activate that fails to verify user authentication, capabilities, or nonce tokens. The check_activate_permission() callback relies only on the client-supplied Origin header to authorize requests. Unauthenticated attackers can spoof the Origin header to activate premium features without credentials. The vulnerability is classified under CWE-862: Missing Authorization.
Critical Impact
Unauthenticated remote attackers can activate premium plugin features by spoofing a single HTTP header, bypassing all authentication controls.
Affected Products
- AL Pack plugin for WordPress (presslearn) — all versions through 1.1.1
- WordPress sites with the plugin enabled and the /wp-json/presslearn/v1/activate endpoint reachable
- Fixed in versions released after WordPress plugin changeset #3346754
Discovery Timeline
- 2025-08-16 - CVE-2025-7664 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-7664
Vulnerability Analysis
The AL Pack plugin registers a REST API route at /wp-json/presslearn/v1/activate that handles activation of premium features. WordPress REST routes are expected to enforce authorization via a permission_callback. In this plugin, the registered callback check_activate_permission() does not invoke current_user_can(), is_user_logged_in(), or wp_verify_nonce(). Instead, it reads the HTTP Origin header from the request, parses it, and approves the request if the value matches a hard-coded list of trusted domains. Since the Origin header is fully controlled by the HTTP client, this check provides no real authorization boundary.
Root Cause
The root cause is a missing capability check [CWE-862]. The plugin conflates origin validation, which is a Cross-Origin Resource Sharing (CORS) control intended for browsers, with authentication. CORS headers are advisory and enforced by browsers, not servers. A direct HTTP client such as curl or any scripted request can set Origin to any value. The endpoint never validates that a legitimate WordPress session, capability, or nonce accompanies the request.
Attack Vector
An unauthenticated attacker sends an HTTP POST request to /wp-json/presslearn/v1/activate on a vulnerable site. The attacker adds an Origin header containing a string the plugin treats as trusted. The plugin's check_activate_permission() returns true, and the activation handler proceeds. The result is unauthorized activation of premium plugin functionality, affecting site integrity. According to the Exploit Prediction Scoring System (EPSS), the probability of exploitation is 0.251%.
No verified public proof-of-concept code is available. See the Wordfence vulnerability report and the plugin source on plugins.trac.wordpress.org for technical details on the vulnerable callback.
Detection Methods for CVE-2025-7664
Indicators of Compromise
- Requests to /wp-json/presslearn/v1/activate originating from clients without a valid authenticated WordPress session
- HTTP requests containing an Origin header from non-browser user agents such as curl, python-requests, or Go-http-client
- Unexpected changes in plugin option values related to premium feature activation in the wp_options table
Detection Strategies
- Inspect web server access logs for POST requests to the presslearn/v1/activate REST route and correlate with authentication state.
- Alert when REST API requests include an Origin header but lack a corresponding Cookie or X-WP-Nonce header.
- Audit the WordPress database for activation-related option entries that were modified outside of normal administrative sessions.
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized log analytics platform for retention and correlation.
- Monitor for sudden enablement of premium plugin features on hosts running AL Pack 1.1.1 or earlier.
- Track outbound calls the plugin may make to license validation endpoints following activation events.
How to Mitigate CVE-2025-7664
Immediate Actions Required
- Update the AL Pack plugin to the version that contains the fix from WordPress changeset #3346754.
- If a patched release is not yet deployable, deactivate and remove the AL Pack plugin until it can be updated.
- Review the site for unauthorized premium feature activations and revert any unexpected configuration changes.
Patch Information
The vendor addressed the issue in the plugin source tree under changeset #3346754. Site administrators should install the latest version available from the WordPress plugin directory. Verify after upgrade that check_activate_permission() enforces a capability or nonce check rather than relying solely on the Origin header.
Workarounds
- Block requests to /wp-json/presslearn/v1/activate at the web application firewall (WAF) layer until the plugin is updated.
- Restrict access to the WordPress REST API for unauthenticated users where the site's functionality allows.
- Use a WAF rule that rejects REST API requests with spoofed Origin headers that do not match the expected browser request pattern (missing Cookie, missing Referer, non-browser User-Agent).
# Example nginx rule to block unauthenticated access to the vulnerable endpoint
location = /wp-json/presslearn/v1/activate {
if ($http_cookie !~* "wordpress_logged_in") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
