CVE-2024-5438
📋 TL;DR
This vulnerability allows authenticated attackers with Instructor-level access or higher in Tutor LMS WordPress plugin to delete arbitrary quiz attempts due to insufficient validation of user-controlled parameters. It affects all Tutor LMS installations up to version 2.7.1. Attackers can disrupt learning progress and course integrity by deleting quiz submissions.
💻 Affected Systems
- Tutor LMS – eLearning and online course solution WordPress plugin
📦 What is this software?
Tutor Lms by Themeum
⚠️ Risk & Real-World Impact
Worst Case
Malicious instructors or compromised accounts could systematically delete all quiz attempts across courses, disrupting student progress tracking, causing grade corruption, and potentially violating academic integrity requirements.
Likely Case
Disgruntled instructors or attackers with stolen credentials deleting specific quiz attempts to manipulate grades or disrupt specific students' progress.
If Mitigated
Limited impact with proper access controls, audit logging, and regular backups allowing recovery of deleted attempts.
🎯 Exploit Status
Exploitation requires authenticated access with Instructor privileges. The vulnerability is in the 'attempt_delete' function where user-controlled parameters lack proper validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3098465/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Tutor LMS plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.7.2+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Restrict Instructor Role Access
allTemporarily limit Instructor role permissions or reduce number of users with Instructor+ access until patch applied.
Use WordPress role management plugins or custom code to restrict quiz attempt deletion capabilities
Implement Web Application Firewall Rules
allBlock or monitor requests to quiz attempt deletion endpoints with suspicious parameters.
Configure WAF to monitor POST requests to */wp-admin/admin-ajax.php with action=tutor_delete_quiz_attempt
🧯 If You Can't Patch
- Implement strict access controls and audit all users with Instructor+ roles
- Enable comprehensive logging of all quiz attempt deletion actions and implement regular backup of quiz data
🔍 How to Verify
Check if Vulnerable:
Check Tutor LMS plugin version in WordPress admin → Plugins → Tutor LMS. If version is 2.7.1 or lower, system is vulnerable.Check Version:
In WordPress: check Plugins page or use wp plugin list --field=version --name=tutor in WP-CLIVerify Fix Applied:
After updating, verify version is 2.7.2 or higher. Test quiz attempt deletion functionality with Instructor role to ensure proper authorization checks.📡 Detection & Monitoring
Log Indicators:
- Multiple quiz attempt deletion actions from single user in short timeframe
- Deletion of quiz attempts outside user's assigned courses
- Admin-ajax.php requests with tutor_delete_quiz_attempt action and unusual parameters
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=tutor_delete_quiz_attempt containing manipulated attempt_id parameters
SIEM Query:
source="wordpress.log" AND "tutor_delete_quiz_attempt" AND (user_role="instructor" OR user_role="administrator") | stats count by src_ip, user🔗 References
- https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1806
- https://plugins.trac.wordpress.org/changeset/3098465/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/00ec14d4-d97b-40b1-b61b-05e911f49bb0?source=cve
- https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1806
- https://plugins.trac.wordpress.org/changeset/3098465/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/00ec14d4-d97b-40b1-b61b-05e911f49bb0?source=cve
