CVE-2024-5438 is a medium-severity vulnerability identified in the Tutor LMS plugin for WordPress, a widely used e-learning and online course management solution. The vulnerability is classified as an Insecure Direct Object Reference (IDOR), specifically CWE-639, which occurs due to insufficient validation of a user-controlled key parameter in the 'attempt_delete' function. This function is responsible for deleting quiz attempts within the LMS. Because the plugin fails to verify that the authenticated user has the appropriate authorization to delete a given quiz attempt, any user with Instructor-level privileges or higher can manipulate the key parameter to delete arbitrary quiz attempts belonging to other users or courses. This bypasses intended access controls and compromises the availability of quiz data. The vulnerability affects all versions up to and including 2.7.1 of Tutor LMS. Exploitation requires the attacker to be authenticated with at least Instructor-level access, but no additional user interaction is necessary. The CVSS 3.1 base score is 4.3, reflecting a network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, and impact limited to availability (deletion of quiz attempts). No known public exploits are reported yet, and no patches have been linked at the time of disclosure. The vulnerability could disrupt course assessments and data integrity indirectly by removing quiz attempts, potentially affecting student progress tracking and grading.

The primary impact of CVE-2024-5438 is on the availability of quiz attempt data within affected Tutor LMS installations. Unauthorized deletion of quiz attempts can disrupt course administration, student assessment records, and overall learning management workflows. This could lead to loss of critical educational data, administrative overhead to restore or re-collect data, and potential reputational damage for educational institutions or organizations relying on Tutor LMS. While confidentiality and integrity of data are not directly compromised, the ability to delete arbitrary quiz attempts undermines trust in the LMS platform's access controls. Organizations with large numbers of instructors and students are at higher risk of operational disruption. The requirement for authenticated Instructor-level access limits the threat to insiders or compromised instructor accounts, but insider threats or account takeovers could exploit this vulnerability. The lack of public exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent abuse.

1. Apply patches or updates from the Tutor LMS vendor as soon as they become available to address the authorization validation flaw. 2. In the interim, restrict Instructor-level privileges to trusted personnel only and review user roles to minimize unnecessary elevated access. 3. Implement additional monitoring and alerting on deletion events within the LMS to detect suspicious activity related to quiz attempts. 4. Employ web application firewalls (WAFs) with custom rules to detect and block anomalous requests targeting the 'attempt_delete' function or suspicious parameter manipulation. 5. Conduct regular audits of LMS user permissions and access logs to identify potential misuse or unauthorized deletions. 6. Educate instructors and administrators about the risk of account compromise and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 7. Backup quiz attempt data frequently to enable recovery in case of unauthorized deletions. 8. Consider isolating LMS environments or limiting network exposure to reduce attack surface.