A CSRF vulnerability exists in LFCMS 3.7.0: users can be added arbitrarily.
https://www.exploit-db.com/exploits/44918/
https://www.cnblogs.com/v1vvwv/p/9203740.html
http://www.iwantacve.cn/index.php/archives/43/
http://packetstormsecurity.com/files/148268/LFCMS-3.7.0-Cross-Site-Request-Forgery.html