Unauthorized Access Vulnerability in AL Pack Plugin for WordPress
CVE-2025-7664

7.5HIGH

Key Information:

Vendor: WordPress
Status: Al Pack
Vendor: CVE Published:; 16 August 2025

What is CVE-2025-7664?

The AL Pack plugin for WordPress contains a security flaw that allows unauthorized access to its premium features. The issue arises from a missing capability check in the check_activate_permission() callback for the /wp-json/presslearn/v1/activate REST API endpoint. This vulnerability affects all versions up to and including 1.0.2. The callback checks the client-supplied Origin header, but fails to authenticate the user or verify capabilities and nonce tokens. Consequently, unauthenticated attackers can exploit this flaw by spoofing the Origin header, thereby activating premium features without proper authorization.

Affected Version(s)

AL Pack * <= 1.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/alpack/trunk/i...

https://wordpress.org/plugins/alpack/#developers

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 16, 2025
Vulnerability Reserved
Jul 14, 2025

Credit

Angus Girvan