Description
The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check_activate_permission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.1.1. The callback reads the client-supplied Origin header and, after parsing, allows the request if it matches one of the trusted domains, without ever verifying user authentication, capabilities, or nonce tokens. This makes it possible for unauthenticated attackers to activate premium features by simply spoofing the Origin header.
Published: 2025-08-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Activation of Premium Features via Unauthenticated REST API
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from a missing capability check in the check_activate_permission callback for the /wp-json/presslearn/v1/activate REST endpoint. Consequently, any user can send a request that spoofs the Origin header to a trusted domain and the plugin will activate premium features without verifying authentication, capabilities, or nonce tokens. This flaw is a classic example of CWE‑862: Missing Authorization, allowing attackers to gain privileged functionality that should be restricted to authorized users.

Affected Systems

The flaw affects the AL Pack plugin for WordPress, as distributed by loword:AL Pack, in all releases up to and including version 1.1.1.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability carries moderate severity. The EPSS score of less than 1% indicates a low probability of immediate exploitation, and the issue is not listed in the CISA KEV catalog. The attack vector is straightforward: an unauthenticated client can target the REST endpoint, spoofing the Origin header. Because the check never validates the user identity or permissions, the attacker can activate premium features and potentially gain further access to the plugin’s functionality. The overall risk thus remains moderate but remains actionable.

Generated by OpenCVE AI on April 21, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AL Pack plugin to the freshest release that corrects the missing authorization check; the fix ensures authentication and capability validation in the check_activate_permission callback.
  • If an update cannot be performed immediately, restrict access to the /wp-json/presslearn/v1/activate route by configuring the web server (e.g., with .htaccess or firewall rules) to require a valid WordPress session cookie or admin credentials.
  • Implement a temporary filter or hook in WordPress to enforce a capability check on the REST endpoint, ensuring that only logged‑in users with the appropriate role can invoke the activation function.

Generated by OpenCVE AI on April 21, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25064 The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check_activate_permission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.0.2. The callback reads the client-supplied Origin header and, after parsing, allows the request if it matches one of the trusted domains, without ever verifying user authentication, capabilities, or nonce tokens. This makes it possible for unauthenticated attackers to activate premium features by simply spoofing the Origin header.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check_activate_permission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.0.2. The callback reads the client-supplied Origin header and, after parsing, allows the request if it matches one of the trusted domains, without ever verifying user authentication, capabilities, or nonce tokens. This makes it possible for unauthenticated attackers to activate premium features by simply spoofing the Origin header. The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check_activate_permission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.1.1. The callback reads the client-supplied Origin header and, after parsing, allows the request if it matches one of the trusted domains, without ever verifying user authentication, capabilities, or nonce tokens. This makes it possible for unauthenticated attackers to activate premium features by simply spoofing the Origin header.
Title Al Pack <= 1.0.2 - Missing Authorization to Unauthenticated Premium Feature Activation via check_activate_permission Function Al Pack <= 1.1.1 - Missing Authorization to Unauthenticated Premium Feature Activation via check_activate_permission Function
References

Mon, 18 Aug 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Loword
Loword al Pack
Wordpress
Wordpress wordpress
Vendors & Products Loword
Loword al Pack
Wordpress
Wordpress wordpress

Mon, 18 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 16 Aug 2025 03:45:00 +0000

Type Values Removed Values Added
Description The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check_activate_permission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.0.2. The callback reads the client-supplied Origin header and, after parsing, allows the request if it matches one of the trusted domains, without ever verifying user authentication, capabilities, or nonce tokens. This makes it possible for unauthenticated attackers to activate premium features by simply spoofing the Origin header.
Title Al Pack <= 1.0.2 - Missing Authorization to Unauthenticated Premium Feature Activation via check_activate_permission Function
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Loword Al Pack
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:08.184Z

Reserved: 2025-07-14T21:30:46.374Z

Link: CVE-2025-7664

cve-icon Vulnrichment

Updated: 2025-08-18T13:36:36.808Z

cve-icon NVD

Status : Deferred

Published: 2025-08-16T04:16:06.283

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7664

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses