CVE-2022-4239: 
WordPress vulnerability analysis and mitigation

The Workreap WordPress theme before version 2.6.4 contains an Insecure Direct Object Reference (IDOR) vulnerability, identified as CVE-2022-4239. The vulnerability was discovered by Veshraj Ghimire and publicly disclosed on December 2, 2022. This security flaw affects the theme's addon service functionality and impacts all versions of Workreap prior to version 2.6.4 (WPScan).

The vulnerability stems from improper access control in the theme's addon service functionality. Specifically, when processing the 'workreapaddonsservice_remove' action, the theme fails to verify whether an addon service belongs to the requesting user or validate if it is a legitimate addon service. The vulnerability has been assigned a CVSS score of 4.3 (medium severity) and is classified under CWE-639, falling into the OWASP Top 10 category A5: Broken Access Control (WPScan).

This vulnerability allows any authenticated user with subscriber-level privileges or higher to delete any post within the WordPress installation by simply knowing or guessing the post ID. This represents a significant breach in access control mechanisms and could lead to unauthorized deletion of content (WPScan).

The vulnerability has been fixed in Workreap version 2.6.4. Users are strongly advised to update their Workreap theme installation to this version or later to mitigate the risk (WPScan).