A high-severity vulnerability exists in the AL Pack plugin for WordPress, identified as CVE-2025-7664. This flaw allows an unauthenticated attacker to gain unauthorized access by exploiting a missing security check in a specific REST API endpoint. Successful exploitation could lead to unauthorized actions within the affected WordPress site, posing a significant risk to site integrity and security.

The vulnerability is a Missing Authorization flaw. The check_activate_permission() function, which serves as the permission callback for the /wp-json/presslearn/v1/activate REST API endpoint, fails to properly verify if the user making the request has the required capabilities. An unauthenticated attacker can send a specially crafted request to this endpoint, bypassing security checks and executing the function's associated actions without proper authorization.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation by an unauthenticated attacker could result in unauthorized activation of plugin features, potentially leading to further security compromises, information disclosure, or denial of service. The primary business risks include damage to the organization's reputation, disruption of web services, and the potential for the compromised website to be used in further attacks.

Immediate Action: Immediately update the AL Pack plugin to the latest patched version provided by the vendor. If the plugin is no longer required for business operations, it should be deactivated and uninstalled as a best practice to reduce the attack surface.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for any requests targeting the /wp-json/presslearn/v1/activate endpoint. Review WordPress audit logs for any unexpected or unauthorized activation events related to the plugin. An increase in requests to this endpoint from unknown IP addresses could indicate scanning or exploitation attempts.

Compensating Controls: If immediate patching is not feasible, implement a WAF rule to block all access to the vulnerable endpoint (/wp-json/presslearn/v1/activate). Alternatively, temporarily disable the AL Pack plugin until it can be safely updated. Restricting public access to the WordPress REST API can also serve as a broad mitigating control.

Public Exploit Available: false

Due to the high severity rating (CVSS 7.5) and the fact that this vulnerability can be exploited by an unauthenticated attacker, it is strongly recommended that organizations prioritize the immediate application of the vendor-supplied patch. Although this vulnerability is not currently on the CISA KEV list, its accessibility makes it an attractive target for threat actors. Organizations should apply the update and verify that compensating controls are in place if patching cannot be performed immediately.