CVE-2025-7664
📋 TL;DR
The AL Pack WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to activate premium features by spoofing the Origin header in REST API requests. This affects all WordPress sites using AL Pack plugin versions 1.0.2 and earlier. Attackers can exploit this without any authentication or special privileges.
💻 Affected Systems
- AL Pack WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could activate all premium features without payment, potentially enabling functionality that should be restricted to paying customers, leading to revenue loss and unauthorized access to premium capabilities.
Likely Case
Unauthorized users activate premium features they haven't paid for, resulting in lost revenue for the plugin developer and potential service degradation if premium features consume additional resources.
If Mitigated
With proper authentication checks, only authorized users with appropriate permissions could activate premium features as intended.
🎯 Exploit Status
Exploitation requires only HTTP request manipulation to spoof Origin headers, making it trivial for attackers with basic web knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check WordPress plugin repository for version >1.0.2
Vendor Advisory: https://wordpress.org/plugins/alpack/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find AL Pack plugin
4. Check for available updates
5. Update to latest version
6. Verify plugin is updated to version >1.0.2
🔧 Temporary Workarounds
Disable vulnerable REST endpoint
allRemove or restrict access to the vulnerable /wp-json/presslearn/v1/activate endpoint
Add to theme's functions.php or custom plugin:
add_filter('rest_endpoints', function($endpoints){
if(isset($endpoints['/presslearn/v1/activate'])){
unset($endpoints['/presslearn/v1/activate']);
}
return $endpoints;
});
Web Application Firewall rule
allBlock requests to the vulnerable endpoint
WAF rule to block:
Path: /wp-json/presslearn/v1/activate
Method: POST
Action: Block
🧯 If You Can't Patch
- Disable the AL Pack plugin completely until patched
- Implement network-level blocking of the /wp-json/presslearn/v1/activate endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for AL Pack version. If version is 1.0.2 or lower, you are vulnerable.Check Version:
wp plugin list --name=alpack --field=versionVerify Fix Applied:
After updating, verify the plugin version is >1.0.2. Test the endpoint with spoofed Origin header to confirm it now requires proper authentication.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-json/presslearn/v1/activate from unauthenticated users
- Requests with spoofed Origin headers
- Activation of premium features without corresponding user authentication events
Network Indicators:
- Unusual traffic patterns to the REST API endpoint
- Requests with manipulated Origin headers
SIEM Query:
source="wordpress.log" AND (uri="/wp-json/presslearn/v1/activate" AND http_method="POST") AND NOT (user!="-")