CVE-2025-7664 is a high-severity vulnerability affecting the AL Pack plugin for WordPress, developed by loword. The vulnerability stems from a missing authorization check in the check_activate_permission() callback function that governs access to the /wp-json/presslearn/v1/activate REST API endpoint. Specifically, the plugin relies solely on the client-supplied Origin HTTP header to determine if a request should be allowed, by matching it against a list of trusted domains. However, it does not verify user authentication, user capabilities, or nonce tokens, which are standard WordPress security mechanisms to prevent unauthorized actions. This design flaw allows unauthenticated attackers to spoof the Origin header and activate premium features of the plugin without any legitimate credentials or user interaction. The vulnerability affects all versions of AL Pack up to and including 1.0.2. The CVSS v3.1 base score is 7.5, reflecting a network attack vector with low complexity, no privileges required, no user interaction, and a scope that remains unchanged. The impact is primarily on integrity, as attackers can illicitly enable premium features, potentially leading to unauthorized access to paid functionalities or bypassing licensing restrictions. There is no known exploit in the wild yet, and no patches have been published at the time of this report. The root cause is classified under CWE-862 (Missing Authorization), indicating a failure to properly enforce access control checks on sensitive operations exposed via the REST API.

For European organizations using WordPress websites with the AL Pack plugin installed, this vulnerability poses a significant risk of unauthorized feature activation. This could lead to financial losses if premium features are monetized, undermine licensing models, and potentially expose further attack surfaces if premium features include additional capabilities or integrations. Organizations relying on AL Pack for critical website functionality may experience integrity violations, as attackers can manipulate plugin behavior without authentication. While the vulnerability does not directly affect confidentiality or availability, the unauthorized activation could facilitate further exploitation or unauthorized data access if premium features include data handling or administrative functions. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated attacks targeting vulnerable sites. Given WordPress's widespread use in Europe, especially among SMEs and public sector websites, the vulnerability could have broad implications if not addressed promptly.

1. Immediate mitigation involves disabling or restricting access to the /wp-json/presslearn/v1/activate REST API endpoint via web application firewalls (WAFs) or server-level access controls until an official patch is released. 2. Monitor HTTP requests for suspicious Origin header spoofing targeting this endpoint and implement anomaly detection rules. 3. If possible, restrict REST API access to authenticated users only by customizing WordPress REST API permissions or using security plugins that enforce strict capability checks. 4. Engage with the plugin vendor (loword) to obtain or request a security patch that properly implements authorization checks including user authentication, capability verification, and nonce validation. 5. Conduct an audit of all WordPress plugins to identify and remediate similar authorization weaknesses. 6. Educate site administrators on the risks of installing unverified plugins and encourage regular updates and security reviews. 7. Implement logging and alerting for unauthorized activation attempts to enable rapid incident response.