phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to pass_reset.php is vulnerable.
Recent assessments:
cinzinga at March 09, 2020 9:23pm UTC reported:
I am the founder of this exploit. Google dorking revealed very few live instances of this web application running so I have rated the value as low. However, exploiting the reflected XSS is very trivial but would require user interaction to be effective.
Blog post: <https://cinzinga.github.io/CVE-2019-19908/>
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 4