ruddernation TinyChat Room Spy Plugin room-spy.php wp_show_room_spy cross site scripting
Description
A vulnerability classified as problematic was found in ruddernation TinyChat Room Spy Plugin up to 1.2.8 on WordPress. This vulnerability affects the function wp_show_room_spy of the file room-spy.php. The manipulation of the argument room leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.2.9 is able to address this issue. The name of the patch is ab72627a963d61fb3bc31018e3855b08dc94a979. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230392.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.2.8
- ruddernation/TinyChat Room Spy Pluginv5Range: 1.2.0
Patches
Vulnerability mechanics
Root cause
"The application fails to properly sanitize user-supplied input in the 'room' argument, allowing for the injection of malicious script content."
Attack vector
An attacker can manipulate the 'room' argument to inject cross-site scripting payloads. This can be initiated remotely by sending a crafted request to the affected function. The vulnerability is present in versions up to 1.2.8 of the TinyChat Room Spy Plugin [ref_id=1].
Affected code
The vulnerability resides in the `wp_show_room_spy` function within the `room-spy.php` file. The manipulation of the 'room' argument in this function leads to the cross-site scripting vulnerability [ref_id=1].
What the fix does
The patch addresses the vulnerability by adding character limit enforcement and removing special characters from the 'room' argument. Specifically, it limits the room name length to 32 characters and applies `htmlspecialchars` to the input, preventing the injection of malicious scripts [ref_id=1]. This change ensures that user-supplied room names are safely processed before being used in subsequent operations.
Preconditions
- inputThe attacker must provide a manipulated value for the 'room' argument.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/wp-plugins/tinychat-roomspy/commit/ab72627a963d61fb3bc31018e3855b08dc94a979mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.