CVE-2025-7664 is a high-severity vulnerability affecting the AL Pack plugin for WordPress, developed by loword. The vulnerability stems from a missing authorization check in the REST API endpoint /wp-json/presslearn/v1/activate, which is responsible for activating premium features of the plugin. Specifically, the permission callback function check_activate_permission() improperly relies solely on the client-supplied Origin HTTP header to determine if a request is allowed. It compares the Origin header against a list of trusted domains but does not perform any user authentication, capability verification, or nonce token validation. This design flaw allows unauthenticated attackers to spoof the Origin header and gain unauthorized access to activate premium features without any legitimate credentials or user interaction. The vulnerability affects all versions of AL Pack up to and including 1.0.2. The CVSS 3.1 base score is 7.5, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). Although no known exploits are currently reported in the wild, the ease of exploitation and the potential for unauthorized feature activation make this a significant risk for WordPress sites using this plugin. The vulnerability is categorized under CWE-862 (Missing Authorization), highlighting the failure to enforce proper access control mechanisms on sensitive operations exposed via the REST API. This flaw could be leveraged by attackers to bypass licensing or feature restrictions, potentially leading to revenue loss for plugin vendors and unauthorized use of premium functionality by malicious actors. The lack of patch links indicates that a fix may not yet be publicly available, increasing the urgency for affected users to implement mitigations or monitor for updates.

For European organizations operating WordPress websites that utilize the AL Pack plugin, this vulnerability poses a substantial risk. Unauthorized activation of premium features could lead to financial losses, as attackers might exploit the plugin without paying for licenses or subscriptions. Additionally, the integrity of the affected websites could be compromised, as attackers might leverage the unauthorized access to further manipulate plugin behavior or escalate privileges within the site environment. Although the vulnerability does not directly impact confidentiality or availability, the integrity impact is high, which could undermine trust in the affected organizations' web presence. This is particularly critical for European businesses relying on WordPress for e-commerce, content delivery, or customer engagement, where unauthorized feature activation could disrupt business models or violate compliance requirements related to software licensing and digital rights management. Furthermore, the vulnerability's exploitation could serve as a foothold for more complex attacks if combined with other weaknesses in the WordPress ecosystem. Given the widespread use of WordPress across Europe, the potential attack surface is significant, especially for small and medium enterprises that may not have robust security monitoring or patch management processes in place.

To mitigate this vulnerability effectively, European organizations should take the following specific actions: 1) Immediately audit all WordPress installations to identify the presence of the AL Pack plugin and determine the version in use. 2) Disable or remove the AL Pack plugin if it is not essential to business operations until a security patch is released. 3) If the plugin is critical, implement web application firewall (WAF) rules to block or restrict access to the /wp-json/presslearn/v1/activate REST API endpoint, especially from untrusted IP addresses or origins. 4) Monitor web server and application logs for suspicious requests that spoof the Origin header targeting this endpoint. 5) Engage with the plugin vendor (loword) to obtain information on patch availability or planned remediation timelines. 6) Consider deploying additional authentication or authorization layers at the API gateway or reverse proxy level to enforce strict access controls beyond the plugin's native checks. 7) Educate development and security teams about the risks of relying solely on client-supplied headers for authorization decisions and encourage secure coding practices that include proper capability checks and nonce validation. 8) Maintain up-to-date backups and incident response plans to quickly recover from any potential exploitation. These targeted measures go beyond generic advice by focusing on immediate containment, monitoring, and compensating controls while awaiting an official patch.