CVE-2025-7664
BaseFortify
Publication date: 2025-08-16
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
| loword | al_pack | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the AL Pack plugin for WordPress, where a missing capability check on the check_activate_permission() callback for the /wp-json/presslearn/v1/activate REST API endpoint allows unauthorized access. The callback only checks the client-supplied Origin header against trusted domains without verifying user authentication, capabilities, or nonce tokens. As a result, unauthenticated attackers can activate premium features by spoofing the Origin header.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to activate premium features of the AL Pack plugin without proper authorization. This unauthorized activation could lead to misuse of premium functionalities, potentially causing financial loss or unauthorized access to features intended only for paying users.