# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add admin account # Date: 2018-04-10 # Exploit Author: taoge # Vendor Homepage: https://github.com/wuzhicms/wuzhicms # Software Link: https://github.com/wuzhicms/wuzhicms # Version: 4.1.0 # CVE : CVE-2018-9926 An issue was discovered in WUZHI CMS 4.1.0.i1/4https://github.com/wuzhicms/wuzhicms/issues/128i1/4 There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add. After the administrator logged in, open the csrf exp page.