AL Pack WordPress Plugin Missing Authorization Vulnerability in REST API Endpoint

Vulnerability

A vulnerability exists in the AL Pack plugin for WordPress, all versions through and including 1.0.2. The issue arises from a missing capability check in the check_activate_permission() callback for the /wp-json/presslearn/v1/activate REST API endpoint. This absence of proper authorization allows unauthenticated attackers to activate premium features by spoofing the Origin header. The callback accepts requests from trusted domains without verifying user authentication, capabilities, or nonce tokens.

Impact

Exploitation of this vulnerability allows unauthenticated users to activate premium features of the AL Pack WordPress plugin, bypassing normal authorization checks.

Added: Aug 16, 2025, 4:19 AM

Updated: Aug 16, 2025, 4:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

0.4

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

0.4

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

AL Pack WordPress Plugin Missing Authorization Vulnerability in REST API Endpoint

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating