There is a CSRF vulnerability that can add the administrator account

[Rambo-996]

After the administrator logged in, open the following page to add an administrator.
poc：

<script>history.pushState('', '', '/')</script>

[anupriya17]

Thank you for pointing the vulnerability. Could you apply a fix?

…

On 10-Aug-2018, at 3:44 PM, Vict00r ***@***.***> wrote: After the administrator logged in, open the following page to add an administrator. poc： <script>history.pushState('', '', '/')</script> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[Rambo-996]

You can add an token in your form or url to avoid this kind of vulnerability.
I think that is the most easy way.