PT-2025-33530 · WordPress · Al Pack For Wordpress

Angus Girvan

Published

2025-08-16

Updated

2025-08-21

CVE-2025-7664

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions: AL Pack for WordPress versions up to and including 1.0.2

Description: The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check activate permission() permission callback for the /wp-json/presslearn/v1/activate API endpoint. The callback reads the client-supplied Origin header and allows the request if it matches one of the trusted domains, without verifying user authentication, capabilities, or nonce tokens. This allows unauthenticated attackers to activate premium features by spoofing the Origin header.

Recommendations: AL Pack for WordPress versions up to and including 1.0.2: Update to a version beyond 1.0.2.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2025-7664

Affected Products

Al Pack For Wordpress

PT-2025-33530 · WordPress · Al Pack For Wordpress

CVE-2025-7664

Weakness Enumeration

Related Identifiers

Affected Products

References · 10