CVE-2025-7664 is a vulnerability classified under CWE-862 (Missing Authorization) found in the AL Pack plugin for WordPress, developed by loword. The issue exists in the check_activate_permission() callback function associated with the /wp-json/presslearn/v1/activate REST API endpoint. This function improperly authorizes requests by solely relying on the client-supplied Origin HTTP header to determine if the request comes from a trusted domain, without performing any user authentication, capability checks, or nonce verification. As a result, an attacker can craft a request with a spoofed Origin header matching a trusted domain and activate premium features of the plugin without any legitimate credentials or user interaction. This vulnerability affects all versions up to and including 1.0.2 of the AL Pack plugin. The CVSS 3.1 base score is 7.5, reflecting a network attack vector with low attack complexity, no privileges required, no user interaction, and a high impact on integrity (unauthorized activation of premium features), but no impact on confidentiality or availability. Although no exploits have been reported in the wild, the flaw presents a significant risk to WordPress sites using this plugin, especially those monetizing premium features. The root cause is the absence of proper authorization checks, which should include verifying user capabilities and nonce tokens to ensure requests are legitimate and authorized. The vulnerability was publicly disclosed on August 16, 2025, and remains unpatched as no official patch links are provided.

The primary impact of CVE-2025-7664 is unauthorized activation of premium features within the AL Pack plugin, which can lead to financial losses for plugin vendors and site owners due to license circumvention. Attackers can exploit this vulnerability remotely without authentication or user interaction, making it easy to abuse at scale. This compromises the integrity of the plugin’s licensing mechanism, potentially enabling widespread unauthorized use of paid features. While confidentiality and availability are not directly affected, the unauthorized feature activation can undermine trust in the affected websites and their services. For organizations relying on AL Pack for critical functionality or monetization, this could result in revenue loss, reputational damage, and increased support costs. Additionally, attackers might leverage the unauthorized access to further pivot or escalate privileges if combined with other vulnerabilities. The scope is broad since all versions up to 1.0.2 are affected, and WordPress’s global popularity means many sites could be impacted.

To mitigate CVE-2025-7664, organizations should immediately implement strict server-side authorization checks for the /wp-json/presslearn/v1/activate endpoint. This includes verifying user authentication status, checking user capabilities or roles, and validating nonce tokens to ensure requests are legitimate and authorized. Do not rely solely on the Origin header for authorization decisions, as it can be easily spoofed. Site administrators should monitor plugin updates from loword and apply patches as soon as they become available. If no official patch exists, consider temporarily disabling the affected REST API endpoint or the AL Pack plugin until a fix is released. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests that spoof Origin headers or attempt unauthorized activations. Regularly audit plugin permissions and REST API endpoints for similar authorization weaknesses. Additionally, educate site administrators about the risks of installing plugins from unverified sources and encourage the use of security plugins that monitor for anomalous REST API activity.