CVE-2025-7664 Overview
The AL Pack plugin for WordPress contains an authorization bypass vulnerability due to a missing capability check on the check_activate_permission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint. In all versions up to and including 1.1.1, the callback reads the client-supplied Origin header and allows the request if it matches one of the trusted domains, without ever verifying user authentication, capabilities, or nonce tokens. This makes it possible for unauthenticated attackers to activate premium features by simply spoofing the Origin header.
Critical Impact
Unauthenticated attackers can bypass authorization controls and activate premium plugin features without valid authentication by manipulating HTTP request headers.
Affected Products
- AL Pack WordPress Plugin versions up to and including 1.1.1
- WordPress installations with the vulnerable AL Pack plugin installed
Discovery Timeline
- 2025-08-16 - CVE-2025-7664 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-7664
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), which represents a fundamental access control flaw where the application fails to properly verify that a user has the necessary permissions before granting access to a protected resource or functionality.
The core issue lies in the flawed implementation of the check_activate_permission() callback function used to protect the REST API endpoint. Rather than implementing proper WordPress capability checks or verifying user authentication status, the function relies solely on validating the HTTP Origin header against a list of trusted domains. This design fundamentally misunderstands the security model—HTTP headers are client-controlled and can be trivially spoofed by any attacker.
The impact allows unauthenticated attackers to activate premium features within the plugin, potentially gaining access to functionality that should be restricted to paying customers or authorized administrators.
Root Cause
The root cause is the improper use of the Origin header as an authorization mechanism. The check_activate_permission() function parses the incoming request's Origin header and compares it against trusted domain values. If a match is found, the request is authorized without any additional verification of user identity, WordPress capabilities, or CSRF protection via nonce tokens.
This represents a critical misunderstanding of HTTP security—the Origin header is designed for CORS (Cross-Origin Resource Sharing) policies and should never be used as a sole authorization mechanism since it can be arbitrarily set by attackers making requests outside of a browser context.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft a malicious HTTP request directly to the vulnerable REST API endpoint while spoofing the Origin header to match one of the trusted domains configured in the plugin.
The exploitation flow involves:
- Identifying a WordPress installation with the vulnerable AL Pack plugin
- Crafting a POST request to /wp-json/presslearn/v1/activate
- Setting the Origin header to match a trusted domain (e.g., the plugin vendor's domain)
- The server accepts the spoofed Origin and processes the activation request
- Premium features become unlocked without valid authorization
Since the attack requires only network access and a spoofed HTTP header, it can be automated at scale against multiple WordPress installations.
Detection Methods for CVE-2025-7664
Indicators of Compromise
- Unexpected POST requests to /wp-json/presslearn/v1/activate endpoint in web server access logs
- Premium AL Pack features activated without corresponding license purchases or administrator actions
- Requests to the activate endpoint originating from suspicious IP addresses or automated tools
- Origin headers in requests that don't correlate with legitimate browser-based user activity
Detection Strategies
- Monitor web server logs for requests to the /wp-json/presslearn/v1/activate endpoint, especially from non-browser user agents
- Implement Web Application Firewall (WAF) rules to detect and alert on requests with spoofed or suspicious Origin headers
- Configure SentinelOne to monitor for unauthorized changes to WordPress plugin configuration files or database options
- Review WordPress audit logs for unexpected premium feature activations
Monitoring Recommendations
- Enable verbose logging for REST API requests on WordPress installations running the AL Pack plugin
- Set up alerts for activation events that occur outside of normal administrative activity patterns
- Monitor for bulk requests to the vulnerable endpoint which may indicate automated exploitation attempts
- Integrate endpoint detection with WordPress security plugins to correlate API abuse with other suspicious activity
How to Mitigate CVE-2025-7664
Immediate Actions Required
- Update the AL Pack plugin to the latest patched version immediately
- Review activation logs to identify any unauthorized premium feature activations
- If unable to update immediately, disable the AL Pack plugin until a patch can be applied
- Audit WordPress installations for signs of compromise or unauthorized feature access
Patch Information
A security patch addressing this vulnerability is available. The fix can be reviewed in the WordPress Plugin Changeset. Administrators should update to the latest version of the AL Pack plugin available through the WordPress plugin repository. Additional details about the plugin and its developers can be found on the WordPress Plugin Developer Info page.
For detailed vulnerability analysis, refer to the Wordfence Vulnerability Analysis.
Workarounds
- Temporarily disable the AL Pack plugin if immediate patching is not possible
- Implement WAF rules to block unauthenticated requests to the /wp-json/presslearn/v1/activate endpoint
- Restrict access to the WordPress REST API at the web server level using IP whitelisting for administrative functions
- Consider using a WordPress security plugin to add additional authorization layers to REST API endpoints
# Example Apache configuration to restrict access to the vulnerable endpoint
<Location "/wp-json/presslearn/v1/activate">
Require ip 192.168.1.0/24
# Or deny all external access
# Require all denied
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.


