Type of bug

Exploit

/ess dump all output

https://essentialsx.net/dump.html?id=a37828c4cf6946daa5103059ff358ae6

Error log (if applicable)

No response

Bug description

When a playerX accepts a tpa request /tpaccept, if playerX has multiple requests, the first request is accepted rather than the latest (expected behaviour). Players are using this to maliciously spam a few requests out and hope the requested players get a second request from some trusted player and accept. (which would then accept their request).

A temporary sort of bandaid fix for my case is to set tpa-accept-cancellation to 5 rather then our usual 60. Shortening this window allows for less abuse.

I should note that if playerX has 2 requests and the first times out and the second is still live, when the playerX accepts, the first message they receive is that the first players request has timed out followed by a message indicating they accepted the second players request; the tpa of the second player goes through.

Steps to reproduce

PlayerX, PlayerY, PlayerZ

1. PlayerY executes/tpa PlayerX
2. PlayerZ executes/tpa PlayerX
   Both requests should not be timed out so set tpa-accept-cancellation accordingly
3. PlayerX executes /tpaccept

Expected behaviour

PlayerZ's request should be granted.

Actual behaviour

PlayerY's request is granted