AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2024-5438: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Refere

mediumvulnerability

security

Source: NVD/CVE DatabaseJune 7, 2024CVE-2024-5438

Summary

The Tutor LMS plugin for WordPress (versions up to 2.7.1) has a security flaw called IDOR (insecure direct object reference, where attackers can access resources they shouldn't by manipulating object identifiers) in the 'attempt_delete' function. Instructors and higher-level users can exploit this missing validation to delete any quiz attempts, even those belonging to other users.

Vulnerability Details

CVSS Score

4.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-639

Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-5438

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 95%