This page can be accessed directly...
https://xat.com/web_gear/chat/inappropriateprofile.php (without id=ID_HERE)
https://xat.com/web_gear/chat/editgroup.php (without GroupName=CHATNAME_HERE)
https://xat.com/web_gear/chat/events.php (without roomid=ID_HERE and GroupName=CHATNAME_HERE)
https://xat.com/web_gear/chat/ownerfeedback.php (without GroupName=CHATNAME_HERE)
https://xat.com/web_gear/chat/inappropriate.php (without roomid=ID_HERE and GroupName=CHATNAME_HERE)
So doing this user can send requests, report inappropriate or send feedback for a chat that doesnt exist or report something that doesnt exist, or empty.
I've tested and I can confirm it, I reported someone without id=ID_HERE and it says email sent...