Tutor LMS – eLearning and online course solution < 2.7.2 – Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion | CVE 2024-5438 | Plugin Vulnerabilities

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Instructor-level access and above, to delete arbitrary quiz attempts.

Affects Plugins

Fixed in 2.7.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/00ec14d4-d97b-40b1-b61b-05e911f49bb0

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Thanh Nam Tran

Verified

No

WPVDB ID

ca83fadf-b931-487e-b7eb-0b669c95a935

Timeline

Publicly Published

2024-06-06 (about 1 year ago)

Added

2024-06-07 (about 1 year ago)

Last Updated

2024-06-07 (about 1 year ago)

Other

Published

Title

Published

2025-01-09

Title

WPBookit < 1.6.6 - Unauthenticated Arbitrary User Password Change

Published

2024-01-02

Title

WP 2FA < 2.6.0 - Subscriber+ Arbitrary Email Sending

Published

2025-12-06

Title

Thim Elementor Kit < 1.3.4 - Authenticated (Contributor+) Insecure Direct Object Reference

Published

2025-12-01

Title

Contact Form Email < 1.3.61 - Unauthenticated Insecure Direct Object Reference

Published

2026-04-03

Title

WCFM - WooCommerce Frontend Manager < 6.7.26 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation